Russia encryption grab may require chat backdoors as standard

Russia encryption grab may require chat backdoors as standard

MOOTED LEGAL CHANGES in Russia may apply a boot to the face of open and private chat messaging services and create a very cold winter for communications.

Reports from the country said that plans to require backdoors in otherwise encrypted chat services are quite advanced and will launch with a mandatory status.

Russia is often accused of messing with internet liberties, but before we get on our high horse we should remember that this is exactly the kind of ambrosia that the UK and US would like to have with their anti-terror breakfast.

Local news site CurrentTime said that companies resisting the anti-terror laws could be fined, and names WhatsApp as the kind out of service that would be involved.

The report explained that senator Elena Mizulina referred to a research group of some kind, and some ill repute, called the League of Safe Internet that had uncovered evidence of unwelcome underground operations including “a number of closed groups where teenagers [are] brainwashed to kill police officers”.

She added that perhaps it is time to start nipping such activity in the bud and that Russia could “maybe go back to the idea of ​​pre-filtering [messages] as we cannot look at it in silence”.

CurrentTime has a clip of the legislation and it does seem as though Russia will ensure that the right level of deterrent is in place.

“Failure to comply with the organiser of the dissemination of information on the internet obligation to submit to the federal executive authority in the field of safety information required for decoding the received, sent, delivered or processed by electronic communications,” said the bill.

“It is proposed to punish by a fine of ₽3,000 to ₽5,000 [£32 to £52] for citizens, ₽30,000 to ₽50,000 [£316 to £528] for officials and ₽800,000 to ₽1m [£8,450 to £10,565] for legal entities.” µ.

Apple to expand encryption on Macs

Apple to expand encryption on Macs

Apple is amping up its commitment to encryption.

The company is beginning the first major overhaul of the Mac filing system — the way it stores files on the hard drive — in more than 18 years. The move was quietly announced during a conference break out session after Apple’s blockbuster unveiling of its new operating system MacOS Sierra.

Amidst other new features, including the ability to place timestamps on files accurate to fractional seconds and a more efficient mechanism to clone files, the new Apple File System (APFS) updates file encryption.
The new system allows files to be encrypted with multiple keys, providing an extra layer of security against attackers or, to the FBI’s recent chagrin, law enforcement agencies.

The shift comes after Apple faced vocal criticism for its commitment to encrypted data after refusing to unlock an iPhone used by one of the shooters in the San Bernardino, Calif, terrorist attack.

Currently, on computers using OSX’s encryption, files are encrypted using the same key. The operating system unlocks the files on computers where a user has logged in. If an attacker compromises the key or attacks the computer when a user has logged in, the files are no longer encrypted.

On APFS, users will have the option to encrypt different segments of the file storage system with different keys. Access to one file wouldn’t mean access to all of them.

APFS will also encrypt the metadata contained in each file.

The new file system will released in 2017, months after Sierra’s release.

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple used the kickoff of its Worldwide Developers Conference Monday to reaffirm the company’s stance on encryption and data monetization, one day after the most deadly mass shooting in U.S. history threatened to rekindle the debate surrounding the use of the technology.

“In every feature that we do, we carefully consider how to protect your privacy,” Apple senior vice president of software engineering Craig Federighi told conference attendees in San Francisco Monday.

Federighi said that includes the Cupertino-based company’s commitment “to use end-to-end encryption by default,” and described a new policy at Apple known as “differential privacy,” which incorporates using machines to learn how users use Apple products via crowdsourced data, while not tracking specific data back to individual users.

Federighi’s keynote came one day after 29-year-old Omar Mateen shot and killed 49 people at a gay nightclub in Orlando early Sunday, and who authorities later said pledged allegiance to ISIS during the attack.

The scenario echoes last year’s shooting in San Bernardino, where two attackers later found to have made a similar pledge to the Islamic extremist terror group were found in possession of an iPhone after a shootout with police that left both dead. The FBI asked Apple to bypass the device’s encryption as part of their investigation — a request Apple refused, prompting a court battle that ended prematurely after the FBI found a third-party to crack the phone’s encryption.

Investigators recovered a phone from Mateen after he died in Sunday’s attack, but have declined to identify its make. Regardless of whether the device is an Apple product, the shooting could easily become fodder for those in government pushing for a back door into encrypted communication platforms like Apple’s, especially given the increasing number and popularity of encryption applications like Telegram of the Facebook-owned WhatsApp.

“We are going through the killer’s life — especially his electronics — to understand as much as we can about his path and whether there was anyone else involved, either in directing him or in assisting him,” FBI Director James Comey said Monday.

The FBI director said investigators are confident Mateen was self-radicalized online.

Comey has repeatedly testified before Congress on the emerging issue of terrorists and criminals “going dark” online as a result of their use of communication platforms with end-to-end encryption, which in Apple’s case, not even the company itself can access without a user’s PIN.

The tug of war between privacy and security has spread from cases still pending in court against Apple and others to Congress, where lawmakers have offered several legislative proposals to discuss or even mandate law enforcement cooperation, all the way up to the 2016 presidential election, with Donald Trump calling for a “boycott” of Apple products.

Apple CEO Tim Cook opened the conference Monday by leading the crowd in a moment of silence for the victims of Sunday’s shooting.

“The Apple community is made up of people from all around the world, all different backgrounds, all different points of view,” said Cook, who came out as gay in 2014. “We celebrate our diversity.”

“We offer our deepest sympathies to everyone whose lives were touched by this violence,” he continued, “this senseless, unconscionable act of terrorism, of hate aimed at dividing and destroying.”

Cook wrote an open letter earlier this year in the wake of the San Bernardino debate pushing back against the FBI’s attempt to force the company into cooperating.

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

According to Amazon, Removing Kindle Fire,Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight

Amazon said that the Fire OS 5 update removed local device encryption support for the Kindle Fire, Fire Phone, Amazon Fire HD, or Amazon Fire TV Stick was because the feature simply wasn’t being used.

Privacy advocates and some users criticized the move, which came to light on Thursday even as Apple Inc was waging an unprecedented legal battle over U.S. government demands that the iPhone maker help unlock an encrypted phone used by San Bernardino shooter Rizwan Farook.

On-device encryption scrambles data so that the device can only be accessed if the user enters the correct password. Cryptologist Bruce Schneier said Amazon’s move to remove the feature was “stupid” and called on the company to restore it.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures

One of the features removed includes one that allowed owners to encrypt their device with a pin which, if entered incorrectly 30 times in a row, deletes all the data stored on it. The feature is similar to the safety feature found on the iPhone at the center of the San Berardino shooter trial, which erases all the device data if the passcode is entered incorrectly ten times.

Amazon joined other major technology companies in filing an amicus brief supporting Apple on Thursday, asking a federal judge to overturn a court order requiring Apple to create software tools to unlock Farook’s phone.

Amazon spokeswoman Robin Handaly said in an email that the company had removed the encryption feature for Kindle Fire tablets in the fall when it launched Fire OS 5, a new version of its tablet operating system.

“It was a feature few customers were actually using,” she said, adding that Kindle Fire tablets’ communication with the company’s cloud meets its “high standards for privacy and security including appropriate use of encryption.”

Encryption expert Dan Guido said that Amazon may have eliminated the feature to cut component costs for tablets that sell for as low as $50.

But digital privacy advocates and customers said those arguments were not good enough reasons for discontinuing the feature.

“Removing device encryption due to lack of customer use is an incredibly poor excuse for weakening the security of those customers that did use the feature,” said Jeremy Gillula, staff technologist with the Electronic Frontier Foundation.

“Given that the information stored on a tablet can be just as sensitive as that stored on a phone or on a computer, Amazon should instead be pushing to make device encryption the default – not removing it,” Gillula said.

David Scovetta, a security analyst who owns two Kindle e-readers as well as Amazon’s TV set-top box, said he is now wary of buying new gadgets from the company.

“Amazon could just as easily be encouraging its users to adopt it rather than remove it as a feature. That’s a massive step backwards,” he said.

Fire OS 5 is the first release to use the Android 5.0 “Lollipop” codebase, and as such it is possible that this removal is down to a technical issue (such as battery life or performance). Last year Google reported that it would allow hardware makers to decide whether or not to enable encryption-by-default because of performance issues on older devices.

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

UK’s lower house eases up on encryption

UK's lower house eases up on encryption

The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers that has been ongoing in the U.K. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.
But the final version eased up on restrictions on encryption. Early drafts of the law mandated encryption include backdoor access – an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

That would keep the kinds of encryption used on Apple phones and Facebook’s newly announced end-to-end encrypted messaging service off the table. When properly implemented, neither would be technologically possible to crack.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the IPA was 444-69. It now heads to the House of Lords for their approval.

Customer Headaches Could Curtail Apple’s Encryption Push

Customer Headaches Could Curtail Apple’s Encryption Push

At an event held during Apple’s fight with the FBI over whether it should help unlock a dead terrorist’s iPhone, CEO Tim Cook promised “We will not shrink” from the responsibility of protecting customer data —including from government overreach.

Yet the obvious next step for the company could be hard to take without inconveniencing customers.

Apple is currently able to read the contents of data stored in its iCloud backup service, something at odds with Cook’s claims that he doesn’t want his company to be capable of accessing customer data such as mobile messages.

Apple has not denied reports it is working to change that. And the company is expected to make some mention of its security technology at its World Wide Developers Conference next week, as it did at March’s iPhone event in March.

But redesigning iCloud so that only a customer can unlock his data would increase the risk of people irrevocably losing access to precious photos and messages when they lose their passwords. Apple would not be able to reset a customer’s password for them.

“That’s a really tough call for a company that says its products ‘Just work,’” says Chris Soghoian, a principal technologist with the American Civil Liberties Union—referring to a favorite line of Apple’s founder, Steve Jobs.

Cook has boasted of how the encryption built into Apple’s iPhones and iMessage system keeps people safe by ensuring that only they can access their data. FBI director James Comey has complained about it.

But the design of iCloud means that Apple can read much of its customers’ data, and help the government do so, too. The service is enabled by default (although you can opt out), and automatically backs up messages, photos, and more to the company’s servers. There the data is protected by encryption, which Apple has the key to unlock. The company’s standoff with the FBI happened only because the backups Apple handed the agency from San Bernardino shooter Syed Farook’s iPhone ended six weeks before the shooting, because he had turned them off.

Apple could lock itself and law enforcement out of iCloud data by encrypting each person’s iCloud backups using a password under his control, perhaps the same one that locks his iPhone.

The company has not denied reports from the Financial Times and Wall Street Journal that it is working on such a design. Passwords and credit card details stored using an iCloud feature called Keychain are already protected in this way. But taking this approach would prevent Apple from being able to reset a person’s password if he forgets it. The data would be effectively gone forever.
It is probably impractical for Apple to roll out that approach for everyone’s data, as the company did for the security protections built into the iPhone, says Vic Hyder, chief strategy officer with Silent Circle, which offers secure messaging, calls, and data sharing for corporations.

“It puts control on the customer but also responsibility on the customer,” he says. “This will likely be an option, not the default.”

Soghoian of the ACLU agrees. “I think they will probably offer it as an option, but be reluctant to advertise that feature much,” he says. “More people forget their passwords than get investigated by the FBI.”

Bryan Ford, an associate professor at the Swiss Federal Institute of Technology in Lausanne, says Apple could take steps to reduce the risk of accidental data loss.

The company’s FileVault disk encryption feature for PCs offers the option to print out a recovery key. A similar process could be used for iCloud encryption, says Ford.

Apple could also implement other safeguards, he says. For example, people could have the option of distributing extra encryption keys or passwords to several “trustees,” who could help recover data if the original password was lost. To prevent abuse it could be required that a certain number of trustees, say, three of five, came forward to unlock the data.

The cryptography needed for such a design is well understood, says Ford. He recently designed a similar but more complex system intended to help companies such as Apple prevent their software updates from being abused (see “How Apple Could Fed-Proof Its Software Update System”).

Alan Fairless, cofounder and CEO of SpiderOak, which offers companies fully encrypted data storage, says he thinks companies like Apple will eventually make truly secure cloud storage accessible to consumers.

Encrypted messaging was clunky and hard to use until recently, but is now widespread thanks to Apple and WhatsApp, he points out. Encrypting stored data is more challenging, but Apple has shown itself willing to spend significantly on encryption technology, for example by adding new chips to the iPhone, says Fairless.
However, he also thinks Apple and its customers aren’t yet ready for encrypted iCloud backups to be the default. “It’ll take consumer technology a while to catch up,” says Fairless.

HelpSystems Fills Encryption Gap With Linoma Buy

Despite all the IBM i security vendors that HelpSystems has bought over the years–and there have been at least five of them–the company has lacked one key security capability valued by enterprises: encryption. With last week’s deal to acquire Linoma Software, the Minneapolis software vendor has finally obtained that encryption capability for IBM i.

HelpSystems has been experiencing heavy demand for IBM i encryption capabilities, says CEO Chris Heim. “I wouldn’t say we lost sales because of it, but we definitely wanted to offer a full solution to our customers and that’s why we wanted to check that encryption box,” he tells IT Jungle.

Linoma’s Crypto Complete provides a full-featured encryption solution for IBM i customers. In addition to providing the core encryption capability (by automating the use of IBM’s field-level encryption APIs), it also includes key management and audit trail capabilities that auditors are increasingly expecting companies to have.

Bob Luebbe, who is Linoma’s president and chief architect–and formerly its co-owner along with his wife Christy–says interest in encryption among IBM i shops is on the upswing.

“Most companies have already taken care of credit card data under PCI,” he says. “But now personally identifiable information [PII], such as birthdays and Social Security numbers, is really popular to protect. That’s what we’re seeing the most demand for.”

While there has been no new major federal laws mandating protection of PII, several states have passed state privacy laws that address PII, while HIPAA continues to drive solutions for encryption private health information (PHI). With the average cost of a data breach touching nearly $7 million, the cost of buying software and services to encrypt sensitive fields in a DB2 for i database doesn’t look nearly so bad.

“A lot of companies are being a lot more proactive than ever before,” Luebbe says. “It’s fairly inexpensive to implement encryption camped to getting a multi-million dollar price tag for remediation. Plus a lot of companies in the public eye want to maintain their customers’ trust, to ensure them that their data is being protected and secured.”

Getting the AES algorithms to encrypt and decrypt data in a DB2 for i database is one thing. You actually don’t need a third-party tool like Crypto Complete to do that, provided you’re comfortable working with IBM’s APIs (which can be complex). But increasingly, having encryption means more than that.

“Auditors are getting a lot smarter,” Luebbe says. “An auditor, when they came into your shop, they used to ask if you’re encrypting data, and you check that box. But now they’re getting more diligent. They want to know what kind of key management you have in place, who’s authored to work with those keys, where’s the audit trail, and who’s actually authorized to decrypt that information. They’re really expanding their requirement and putting a lot more pressure on shops to move just beyond calling APIs to encrypt information.”

HelpSystems also had its eye on GoAnywhere, Linoma’s line of managed file transfer (MFT) solutions that help to control the flow of data among file systems and databases running on IBM i, Linux, Windows, and many other on-premise and cloud platforms.

The GoAnywhere suite has been Linoma’s biggest seller lately, and HelpSystems will eagerly begin offering what Heim considers to be best-of-breed.

“I would probably say the encryption piece fills a bigger hole for us in our IBM i security portfolio,” Heim says. “But on cross-platform, it’s MFT. That’s been a dynamite product for Bob. We did a survey of a lot of the products out there and we think it’s the best in the industry.”

There will be few changes for Linoma going forward. The company will continue to operate out of its headquarters in Ashland, Nebraska indefinitely. Linoma’s 2,000 or so customers will get technical support in the same manner. All 32 Linoma employees will be retained; in fact, the company is hiring.

Heim first contacted Luebbe about a possible deal about a year ago, and Luebbe says initially he wasn’t interested. But after several meetings with the Minnesota native, Luebbe eventually came to the conclusion that he could use Help’s help to take Linoma to the next level.

“As we were growing, we were starting to feel the pain in our development [and support structure]. It’s hard to maintain that growth without some help,” Luebbe says. “We were also worried about business continuation if something were to happen to me.”

A similarity between the two companies’ cultures helped seal the deal. “It just felt like a bigger version of Linoma,” Luebbe says. “I love their motto: ‘Happy employees equal happy customers.’ That really drove it home for me. They really treat their people well. They have great customer service.”

Luebbe also likes that he will have HelpSystems’ large Minneapolis team available for brainstorming. “We were like our own little island in the middle of Nebraska,” he says. “It’s great that now we’re going to have a lot of great ideas to bounce back and forth between our sales team and R&D and support team.”

And now that HelpSystems is handling some of the more mundane aspects of running a software business, Luebbe will be free to spend more time with the customers and products.
“I love to give demos and work with the technical team and help design the next releases of the product. Those are the things I love,” he says. “I don’t especially love working with layers and accountants and insurance people.”

Added Heim: “We’re taking over that for him.”

​Symantec warns encryption and privacy are not the same

“Encryption and privacy is not the same thing,” said Nick Savvides, Symantec APAC cybersecurity strategy manager.

Encryption is a privacy “enhancing tool”, Savvides went on to explain, while privacy is more about handling what information is collected, how the collected information is handled, and what other data can be derived from it. The two are often confused because they are related: Encryption is used to maintain privacy.

Savvides said that unfortunately most websites do not use encryption, highlighting the company’s most recent Internet Threat Security Report, which revealed that 97 percent of active websites do not have any basic security and 75 percent have unpatched vulnerabilities, with 16 percent of those being critical.

Meanwhile, the remaining 3 percent of active websites with security are banks and corporate businesses, according to Savvides.

He said the IT security community often blames “lazy” users for the lack of encryption. However, he said the real hindrance is the complexity that is involved with encryption, and it’s often something that users expect to be provided with.

“They don’t do [encryption] because it’s hard; they only do it when they absolutely have to,” he said.

He pointed out that iMessage, Apple’s built-in instant messaging service, and more recently mobile messaging app Whatsapp, are two examples of where end-to-end encryption is provided, and not something that users have to actively go seek.

In turn, the security company has extended its partnership program, Encryption Everywhere to Australia, which is already live in North America and Europe. The program falls under Symantec’s goal to achieve 100 percent encryption for all websites globally by 2018.

Under the Encryption Everywhere program, Symantec has initially partnered with WHMCS and cPanel to hand out domain-validated TLS/SSL certificates for free, before taking a multi-tier paid model approach.

“We’d like to see broader base encryption utilised across the world, across the internet. Whether it’s ours or somebody else’s, we’d like to see it adopted because it will make the internet a safer place, free from prying eyes,” Savvides said.

Survey findings from Norton by Symantec released on Tuesday indicated that online threats will not be slowing, particularly with the proliferation of the Internet of Things.

The survey showed that while almost two thirds of Australians use at least one mobile app to manage their finances or control other connected devices, 66 percent do not have security software on their smartphones, and 33 percent choose not to have a password or PIN on these devices.

Despite this, 61 percent of Australians admitted that they would be upset if their financial information was compromised.

According to Mark Gorrie, Norton by Symantec APAC director, as the smartphone becomes a central control hub and a “gateway” to other devices, the onus is on both the vendor and the user to ensure security is top of mind. Gorrie, however, pointed out that historically, vendors have always seen security as an afterthought, but indicated that it has improved more recently.

“Vendors should be taking seriously because it is such a big issue. We see the threats just keep growing every year, and just won’t give up because it’s a profitable business for a lot of people. There is definitely a responsibility security should rank highly on the devices vendors are releasing, but equally people have to be proactive to help themselves,” he said.

OSGP custom RC4 encryption cracked yet again

OSGP custom RC4 encryption cracked yet again

The Open Smart Grid Protocol’s (OSGP) home-grown RC4 encryption has been cracked once again. The easy-to-break custom RC4 was cracked last year.

A year ago, the OSGP Alliance advised that better security would be implemented, but the RC4 still remains according to German researchers Linus Feiten and Matthias Sauer.

Feiten and Sauer claim to have the ability to extract the secret key used in the OSGP’s RC4 stream cipher. “Our new method comprises the modification of a known attack exploiting biases in the RC4 cipher stream output to effectively calculate the secret encryption key. Once this secret key is obtained, it can be used to decrypt all intercepted data sent in an OSCP smart grid,” Sauer and Feiten explained in their research.

Decrypting the secret key can expose the energy consumption of an individual customer thus an attacker could create messages reporting incorrect information to the grid operator.

Grid operators waited on vendor support to protect their networks with the alliance’s OSGP-AES-128-PSK specification bit encryption released in July as it was described as a “new work proposal for standardisation purposes”.

John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different

John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different

Last month, WhatsApp enabled end-to-end encryption for its billion users to secure all the communications made between users — be it a group chat, voice calls, personal chats or the photos and videos that are being shared. While WhatsApp says it is difficult even for them to access the conversations, cybersecurity expert John McAfee and his team of four hackers claim to successfully read an encrypted WhatsApp message, Cybersecurity Ventures reports. While it sounds like a bold claim, the real story could be completely different.

John McAfee, the creator of one of the popular anti-virus software, apparently tried to trick the media in believing that he hacked the encryption used by WhatsApp, Gizmodo reports. To convince the reporters that he could read the encrypted conversations, McAfee is said to have sent two phones preinstalled with malware containing a keylogger.

According to Dan Guido, a cybersecurity expert who was contacted to verify the claim, McAfee sent two Samsung phones in sealed boxes to the reporter. The experts then took the phones out and exchanged a text on WhatsApp, which McAfee was able to read over a Skype call. Citing sources, the publication also reports that McAfee offered his story to a couple of big publications as well, which includes Russia Today and the International Business Times.

“John McAfee was offering to a different couple of news organizations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones. I advised the reporter to go out and buy their own phones, because even though they come in a box it’s very easy to get some saran wrap and a hair dryer to rebox them,” Guido told the publication.

McAfee has a long history of being shifty, especially when it comes to his alleged cybersecurity exploits. For instance, earlier this year in March, he claimed to hack into San Bernadino terrorist Syed Farook’s phone, but he never managed to prove his claims right. Later on, McAfee admitted that he lied to get the public attention.

This time too McAfee seems to have lied to reporters to buy his story, but when reporters asked to verify the claim, he changed the story. Moxie Marlinspike, who developed and implemented the encryption tool in WhatsApp told the publication about McAfee admitting his plan.

“I talked to McAfee on the phone, he reluctantly told me that it was a malware thing with pre-cooked phones, and all the outlets he’d contacted decided not to cover it after he gave them details about how it’d work,” he said.

With McAfee’s claims turn out to be false, WhatsApp saying that it does not have the ‘key’ to decrypt communications sounds good so far. However, if at all, someday, someone manages to hack into the conversations, it could turn into havoc. While it will give the ability to monitor the conversations between terrorists, it could also breach the privacy of the users.