Encryption


'Encryption' Articles

Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past. The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4— Sebastian Schinzel (@seecurity) May 14, 2018 Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted

Anti-Surveillance Coalition That Includes Apple Condemns Proposals for Device Backdoors

The Reform Government Surveillance coalition, which includes several major tech companies who have teamed up to lobby for surveillance law reform, this week released a statement condemning recent proposals for backdoor access into electronic devices and reaffirming a commitment to strong encryption. The coalition is made up of multiple tech companies who have taken a strong stance against weakening encryption, including Apple, Google, Microsoft, Dropbox, Snap, Evernote, LinkedIn, Oath (owned by Verizon) and Facebook.Reform Government Surveillance recently announced a new core principle on encryption that will guide our advocacy efforts, and we continue to believe that strong encryption helps protect the security and privacy of individuals and companies around the world. We have consistently raised concerns about proposals that would undermine encryption of devices and services by requiring so-called "exceptional access" for law enforcement. Recent reports have described new proposals to engineer vulnerabilities into devices and services - but they appear to suffer from the same technical and design concerns that security researchers have identified for years. Weakening the security and privacy that encryption helps provide is not the answer.As ZDNet points out, the statement comes following a WIRED article profiling Microsoft chief technical Ray Ozzie and his suggestion for a solution called "Clear" that would supposedly provide law enforcement with access to encrypted data with less security risk. Ozzie's proposal uses a public key and a private key (housed and

Russia Bans Access to Telegram Encrypted Messenger Service [Updated]

A Russian law court has ordered that access to the Telegram encrypted messaging service should be blocked, according to Russian news agencies on Friday (via Reuters). The development follows last week's news that Russia's media regulator had filed legal proceedings to block the app in the country because the company refused to enable state security services to access users' messages. The Telegram platform allows people to communicate with each other using end-to-end encryption, meaning no-one – not even Telegram – has access to messages sent between users. The app has over 200 million users globally. They include Kremlin staff, who use Telegram to coordinate conference calls with Vladimir Putin's spokesman. Many government officials also use the messenger app to communicate with media, according to Reuters. When Reuters asked a person in the Russian government on how they would operate without access to Telegram, the person, who asked not be identified due to the sensitivity of the issue, replied by sending a screenshot of his mobile phone with an open VPN app.Telegram becomes the second global network after LinkedIn to be blocked in Russia. In 2016, a court found LinkedIn guilty of violating a law that requires companies holding Russian citizens' data to store it on servers within Russia. Update 04/17: The Russian government has formally requested that Apple remove Telegram from its regional App Store in the country, reports Reuters. Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics,

Russia Moves to Ban Telegram Encrypted Messaging Platform

Russia appears to be following through on its threat last year to block access to the Telegram encrypted messaging platform. The BBC reports today that the Roskomnadzor media regulator has begun legal proceedings to block the app in the country, after Dubai-based Telegram refused to comply with requests that it hand over the encryption keys. Telegram was given a deadline of 4 April to hand over the keys, but the company has refused, explaining that the way the service is built means it has no access to them. Russia's main security agency, the FSB, wants the keys so it can read messages and prevent future terror attacks in the country. In its court filing, Roskomnadzor said the legal action was related to the FSB request and Telegram's non-compliance with its legal requirements as a "distributor of information".Telegram's lawyer, Pavel Chikov, called the Russian attempt to block the app "groundless" and said the FSB's demand to access users' chat logs was "unconstitutional, baseless, which cannot be fulfilled technically and legally". Telegram had a legal challenge to the demand dismissed in a Moscow court in March, but the platform creator Pavel Durov has said Telegram, which is widely used in Russia, will not "give up" the private data of its users. Threats to block Telegram unless it gives up private data of its users won't bear fruit. Telegram will stand for freedom and privacy.— Pavel Durov (@durov) 20 March 2018 Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion,

FBI Forensic Examiner Stephen Flatley Calls Apple 'Jerks' and 'Evil Geniuses' for Encrypting iPhones

Senior FBI forensic examiner Stephen R. Flatley spoke at the International Conference on Cyber Security yesterday, and during the talk he discussed Apple and the FBI's differing opinions on the topic of smartphone encryption. According to Motherboard, Flatley described the company as "jerks" and "evil geniuses" for creating iOS device encryption that is so powerful as to prevent Apple itself from entering users' iPhones. Flatley said that recent updates to Apple device encryption have made password guesses slower, by increasing hash iterations from 10 thousand to 10 million, "making his and his colleagues' investigative work harder." This extended brute force crack time from a few days to two months, leading to Flatley stating that Apple is "pretty good at evil genius stuff." No detailed context was given regarding his "jerks" comment. Image of Stephen Flatley taken by Lorenzo Franceschi-Bicchierai via Motherboard That means, he explained, that “password attempts speed went from 45 passwords a second to one every 18 seconds,” referring to the difficulty of cracking a password using a “brute force” method in which every possible permutation is tried. There are tools that can input thousands of passwords in a very short period of time—if the attempts per minute are limited, it becomes much harder and slower to crack. "Your crack time just went from two days to two months," Flatley said. “At what point is it just trying to one up things and at what point is it to thwart law enforcement?" he added. "Apple is pretty good at evil genius stuff." Flatley's comments come

'ProtonMail Bridge' Brings Encryption to Outlook, Thunderbird, and Apple Mail

Swiss-based encrypted email provider ProtonMail today announced Bridge, an app for premium account holders that aims to bring easy-to-use email encryption to desktop email clients like Outlook, Thunderbird, and Apple Mail. One of our goals has always been to bring easy-to-use encrypted email to desktop. The problem is formidable. Desktop systems encompass multiple operating systems with dozens of popular email clients with their own adherents, and virtually none of them natively speak PGP, the email encryption standard upon which ProtonMail is built. Around two years ago, we created a small task force to tackle this challenge. Today, we are finally ready to present ProtonMail Bridge.Basically, the downloadable Bridge app enables ProtonMail users to access their encrypted email accounts using their favorite email client, without compromising on the security provided by the end-to-end encrypted service, and without needing to modify their email application. At the same time, local copies of the emails are stored on the user's computer, allowing them to use the search features of their email client as normal. To achieve this, the Bridge app functions like a local IMAP/SMTP email server capable of communicating with the remote ProtonMail server to encrypt and decrypt incoming/outgoing messages locally. In this way, it translates end-to-end encrypted email data into a language that any email client can understand, thus "bridging" the gap between ProtonMail's end-to-end encryption and a user's standard email client. The Bridge app aims to fit right into email clients

Signal Encrypted Messenger 2.19 Update Finally Available Following App Store Hiccup

Encrypted messaging app Signal pushed out its v2.19 update late on Friday after a post-release 48-hour delay, owing to an App Store issue that Apple has now resolved. The update includes a number of new features and improvements, including full UI display support for iPhone X. After the update is applied, users will no longer see the "Load Earlier Messages" link within chat threads, because additional messages now appear automatically upon scrolling to the top of a conversation. In other improvements, a new simplified interface has been introduced to the Signal mobile app that aims to make sending photos, files, and GIFs easier and quicker. For example, attachment previews are now displayed directly in the message bar instead of on a separate confirmation screen. Adopting a design concept popularized by Facebook Messenger known as "Jumbomoji", emoji characters are now also visibly larger in Signal chat bubbles that don't contain any other text. Elsewhere, messages that fail to send have been made easier to spot and re-send, while a new "Tap for More" option should make navigating extremely long messages a more pleasant experience. The list of supported languages has also been expanded to include Burmese, Hebrew, and Persian, while users with an external keyboard linked to their device can now make use of new key combination shortcuts for sending messages (Shift + Enter, and Command + Enter). Apart from the above changes, Open Whisper Systems has revamped the layout code to improve performance and flexibility, so everything should feel smoother and more

Keybase Launches Teams, a Free End-to-End Encrypted Alternative to Slack

Encryption messaging company Keybase launched a Slack-like open source team communications tool on Monday for macOS and iOS platforms. Called Keybase Teams, the fully encrypted platform supports groups as large as 500 people, with free access to a team's message history. Keybase is a new and free security app for mobile phones and computers. For the geeks among us: it's open source and powered by public-key cryptography. Keybase is for anyone. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. Or a Team Dropbox where the server can't leak your files or be hacked.Like Slack, once users have created a team in Keybase they can begin generating chats and channels. It's also possible to share encrypted files with team members.  Unlike Slack accounts however, users don't have to switch at the top level of the app. Teams can be casual and small, allowing them to blend into the user's inbox, while teams with multiple chat channels are grouped under "Big teams". Keybase Teams is a free download for Mac from the Keybase website, while the Keybase chat app is available for iPhone and iPad on the App Store. [Direct Link

'Real People' Don't Need Encrypted Messaging Services, Claims U.K. Home Secretary

The U.K. home secretary Amber Rudd has argued that "real people" do not want secure end-to-end encryption on messaging platforms and are more concerned with usability and features than unbreakable security (via Yahoo News). Rudd made her case in a newspaper article, published ahead of a meeting today with technology companies in San Francisco, where she will warn tech giants that their services are being misused by terrorists. Writing in The Daily Telegraph, Rudd said: "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? "So this is not about asking the companies to break encryption or create so-called 'back doors'. "Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie. "Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."Rudd's comments were immediately criticized by privacy campaigners, with civil liberties organization Big Brother Watch calling her viewpoint "at best naïve, at worst dangerous". "Suggesting that people don't really want security from their online services is frankly insulting," said Renate Samson, chief executive of BBW. "What of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime." "Once again the government are attempting to undermine the security of all in response to the

Changes to iCloud Put Apple on Collision Course With Governments Seeking Access to Encrypted Messages

Apple has sent its top privacy executives to Australia twice in the past month to lobby government officials over proposed new laws that would require companies to provide access to encrypted messages. According to the Sydney Morning Herald, Apple privacy advocates met with attorney general George Brandis and senior staff in Prime Minister Malcolm Turnbull's office on Tuesday to discuss their concerns about the legal changes, which could compel tech companies to provide decryption keys to allow access to secure communications such as that provided by WhatsApp and iMessage. Apple has consistently argued against laws that would require tech companies to build so-called "back doors" into their software, claiming that such a move would weaken security for everyone and simply make terrorists and criminals turn to open-source encryption methods for their digital communications. While Apple's position is clear, the Turnbull government has yet to clarify exactly what it expects tech companies to give up as part of the proposals. A source familiar with the discussions said that the government explicitly said it did not want a back door into people's phones, nor to weaken encryption. However, given that encrypted services like WhatsApp and iMessage do not possess private keys that would enable them to decrypt messages, a back door would seem the only alternative. "If the government laid a subpoena to get iMessages, we can't provide it," CEO Tim Cook said in 2014. "It's encrypted and we don't have a key." As it happens, Cook's comment only applies to iMessages that

Encrypted Chat App Telegram to Remove Terrorist Content Following Ban Threat in Indonesia

Telegram is to form a team of moderators to remove terrorist-related content from the encrypted messaging platform in Indonesia, after the country's government threatened to ban the app. Indonesia's Ministry of Communications and Information Technology has already blocked access to the web version of the chat platform, citing concerns that it was being used to spread "radical and terrorist propaganda" in the country, according to Reuters. "This has to be done because there are many channels on this service that are full of radical and terrorist propaganda, hatred, ways to make bombs, how to carry out attacks, disturbing images, which are all in conflict with Indonesian law," the communications ministry said in a statement on its website.Telegram co-founder Pavel Durov said on Sunday that the service had blocked channels reported by the government and that it would take further action to remove the illegal content. "We are forming a dedicated team of moderators with knowledge of Indonesian culture and language to be able to process reports of terrorist-related content more quickly and accurately," Durov said in a Telegram post quoted by Associated Press.Telegram has been criticized by governments before for its use by terrorist groups to spread propaganda and recruit members. Last month Telegram agreed to provide basic information about the company to Russia after authorities threatened to block access to the service. Despite pressure from governments, Telegram's founders have refused to bow to demands for backdoors into the platform for authorities to access

Australia Proposes Law That Would Compel Tech Companies to Decrypt Messages

Australia on Friday proposed new laws that would require companies like Apple to provide law enforcement authorities with access to encrypted communications (via Reuters). Australia's proposed legislation will compel companies to help security agencies intercept and read messages sent by suspects. It appears to take cues from the U.K.'s Investigatory Powers Bill, which includes provisions that require technology companies to bypass encryption where technically feasible. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Australian Prim Minister Malcolm Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."The proposal will be introduced when parliament resumes in August and could be adopted within months, according to lawmakers. Other nations have said they will introduce similar laws. Apple, along with Facebook, Google, and other major tech companies, have historically opposed such law changes, which they say threaten online security protocols. For example, Apple claimed the U.K.'s recent bill would "weaken security" for millions of law-abiding customers. "The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," Apple stated in December 2015. "A key left under the doormat would not just be there for the good guys. The bad guys

Australia to Push for Greater Powers on Encrypted Messaging at 'Five Eyes' Meeting

Australia is set to push for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals, according to reports on Sunday (via Reuters). The topic will be addressed this week at a meeting of officials from the "Five Eyes" intelligence sharing network, which includes the U.S., the U.K, Canada, Australia, and New Zealand. Australia claimed the increasing use of strong encryption on smartphones and other devices was hindering law enforcement's capacity to gather and act on intelligence, and said it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications. Security experts and privacy groups regularly argue that any such methods would simply weaken overall security for everyone. "I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption," Australian Attorney General Senator Brandis said in a joint statement. "These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies."The announcement followed the U.K. government's recent statement of intent to pressure technology companies to do more to put an end to the "safe spaces" that the internet offers extremists. The country has also called for measures to "regulate cyberspace", following terror attacks in the country. In related news, a leaked draft technical paper prepared by the U.K. government states that technology companies would be required to remove

Russia Threatens to Ban Encrypted Messaging App Telegram

Russia has threatened to block access to the Telegram messaging platform unless the company that runs the app provides more information about itself (via Sky News). The head of communications regulator Roskomnadzor, Alexander Zharov, said repeated efforts to obtain the information had been ignored by the company and warned that "time is running out" for the app. "There is one demand and it is simple: to fill in a form with information on the company that controls Telegram," Zharov said in an open letter. "And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."Telegram's non-response appears to be down to the repercussions of handing over the requested details: Doing so would effectively add it to the state regulators' registry, which would require it to retain users' chat histories and encryption keys and share them with authorities if asked, according to Russian news agency TASS. The demand isn't the first time the Russian founders of Telegram – Kremlin, Nikolai and Pavel Durov – have failed to comply with state requests. In 2014, the Durovs refused to turn over data on Ukranian users of Vkontakte, a social network they also set up together. Telegram claims to split its encryption keys into separate data centers around the world to ensure "no single government or block of like-minded countries can intrude on people's privacy and freedom of expression". According to the group's policy, it can

Swiss Encrypted Email Provider Launches ProtonVPN With Free Subscription Tier

Encrypted email provider ProtonMail today launched its own VPN service called ProtonVPN, which includes a free user tier in its pricing plan. The Swiss-based company said it had been testing its VPN service for four months with the help of over 10,000 members of the ProtonMail community, and the group was ready to make ProtonVPN available to everyone starting Tuesday. The Proton group said they were motivated to create ProtonVPN to combat increased threats to online freedom, such as the recent repeal of Obama-era rules designed to protect consumer internet browsing history, calls by British Prime Minister Theresa May for increased online surveillance, and the attempts by the U.S. FCC to dismantle net neutrality. "In the past year, we have seen more and more challenges against Internet freedom," said ProtonMail Co-Founder Dr. Andy Yen, "now more than ever, we need robust tools for defending privacy, security, and freedom online. "The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them," said Yen. "This is why, as with ProtonMail, we're committed to making a free version of ProtonVPN available to the world."The group says it has worked to make the best possible VPN service by addressing many of the common pitfalls with existing VPNs. Features therefore include a Secure Core architecture that routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, a no logs policy backed by

Encrypted Messaging App 'Signal' Approved for Use by U.S. Senate

The U.S. Senate has approved popular encrypted messaging app Signal for official use by staffers in the chamber, it was revealed yesterday (via ZDNet). The news came in a letter sent on Tuesday by Senator Ron Wyden (D-OR), known to be a staunch privacy advocate, in which he underlined his belief that "backdoor-free" encryption should be embraced by the state at all levels rather than something the government should fear. I have long argued that strong, backdoor-free encryption is an important cybersecurity technology that the government should be embracing, not seeking to regulate or outlaw. My own Senate website, which has used HTTPS by default since 2015, was the first Senate website to do so. With the transition to default HTTPS for all of the other Senate websites and the recent announcement by your office that the end-to-end encrypted messaging app Signal is approved for Senate staff use, I am happy to see that you too recognize the important defensive cybersecurity role that encryption can play.Signal by Open Whisper Systems is widely considered by security experts to be the most secure mobile messaging platform on iOS and Android, due to features like end-to-end encryption of text, picture, and video messages, support for private calling, and a lack of separate logins. Members of Congress are for the most part exempt from record-keeping laws, so long as encrypted communications are not "historically valuable", or do not include committee documents. However, workers of the federal government and those who work directly with the president are governed by

ProtonMail Launches Tor Onion Site to Evade State Censorship

Encrypted email provider ProtonMail has launched its own onion address, allowing users to access the service over the Tor anonymizing network (via TechCrunch). The Swiss-based email account provider, which has more than 2 million users, said the measure was aimed at defending against state-sponsored censorship, and pointed to recent moves around the world to block encrypted communications and expand surveillance. ProtonMail said it was worried about increased attacks on online privacy, such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation which mandates tracking of web activity. The service also reported a bump in registrations following President-Elect Donald Trump's election win, with web users said to be seeking a non-U.S. based secure email provider in case of a broad expansion of online surveillance activity. "Given ProtonMail's recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this," said co-founder Andy Yen in a statement on the launch. "Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step."ProtonMail can now be reached over the Tor network directly using the onion address https://protonirockerxow.onion. The provider has also posted instructions on how to access the site on iOS devices, although it is currently looking into problems with access via the free Onion Browser app. ProtonMail is a free download for iPad and iPhone on the App

Leaked Documents Reveal What Kind of Data Cellebrite Can Extract From iPhones

Israeli mobile software developer Cellebrite gained media attention earlier this year when rumors suggested the FBI recruited the company to unlock San Bernardino shooter Syed Farook's iPhone. While the FBI did not enlist Cellebrite's help, the company does have technology licensed by governments that can extract iPhone data. ZDNet has obtained documents that reveal the scope of this technology. The leaked files are "extraction reports," which are organized to allow investigators to easily see and analyze data from a phone. Extraction is conducted by plugging the phone into a Cellebrite UFED device. While the device is primarily for extracting information currently on the phone it can, in some cases, extract recently deleted items. The phone at the heart of ZDNet's extraction report was an non-passcode protected iPhone 5 running iOS 8. The first couple pages of the report include case numbers and unique identifying information for the device, including phone number, IMEI numbers and Apple ID. In these first pages, the report also divulges which plugins the software used to extract information from the device. These plugins can help the software extract data from QuickTime and iPhone backups. The report compiles geolocation data from every photo taken on the device and visualizes it on a map, allowing an investigator to easily see when and where a person was. Text messages are organized in chronological order, which makes it easier for investigators to track conversations. The wireless networks a device has connected to are also logged, including the MAC

Facebook Completes Rollout of Messenger App End-to-End Encryption

Facebook has announced that the rollout of cryptographic features for its massively popular Messenger chat service has completed, bringing end-to-end encryption to the largest messaging network in existence. Back in July, the social network company said it was testing the privacy feature on a limited basis which would eventually be rolled out to all 900 million users of the app. On Tuesday, Facebook told Wired that rollout had finished. Messenger now implements the same highly regarded cryptographic Signal Protocol that the company's WhatsApp platform uses to encrypt messages, but the Messenger app needs to be updated and the feature turned on for it to work. A new "Secret Conversations" option can now be found at the top-right of the app's New Message screen, provided that users have enabled the option from the Me profile settings screen. The encryption protocol covers one-to-one text chats and stickers used within threads, but does not currently support the use of videos and GIFs. Messenger users who update the app will also get to use a new Snapchat-style option that erases messages after a specified duration. Messenger is free on the App Store [Direct Link] for iPhone, iPad, and Apple Watch.

Tim Cook Tells Utah Tech Audience: Encryption 'Makes the Public Safe'

Apple CEO Tim Cook drew cheers from a Salt Lake City audience on Friday as he reiterated the company's unwavering commitment to encryption and privacy protections for its customers, according to local media reports. The comments were made during a Q&A session at the yearly meeting of the Utah Technology Council (UTC), a trade and advocacy group representing more than 5,000 technology and life-sciences companies across the U.S. state. The 55-year-old CEO was invited along with Utah senator Orrin Hatch to take the stage at the Grand America Hotel and field questions from a public audience. Tim Cook in Q&A with senator Orrin Hatch Calling encryption "one of the biggest issues we face," the CEO noted that most iPhone users have more personal data on their phones than in their homes. "Encryption is one of the things that makes the public safe," he said. "We feel we have a responsibility to protect our customers." "We believe the only way to protect both your privacy and safety from a cyberattack is to encrypt," Cook told about 1,400 industry executives, tech workers and Apple fans. "We throw all of ourselves into this and are very much standing on principle in this."Cook was responding to questions regarding the lingering impact of Apple's dispute with the FBI over the agency's demand that it build a "back door" into its software, following the use of a locked iPhone by the primary suspect in the San Bernardino mass shooting last December. Apple refused to comply with the request from the federal agency, which dropped its pursuit of the company when investigators