Encryption


'Encryption' Articles

FBI Forensic Examiner Stephen Flatley Calls Apple 'Jerks' and 'Evil Geniuses' for Encrypting iPhones

Senior FBI forensic examiner Stephen R. Flatley spoke at the International Conference on Cyber Security yesterday, and during the talk he discussed Apple and the FBI's differing opinions on the topic of smartphone encryption. According to Motherboard, Flatley described the company as "jerks" and "evil geniuses" for creating iOS device encryption that is so powerful as to prevent Apple itself from entering users' iPhones. Flatley said that recent updates to Apple device encryption have made password guesses slower, by increasing hash iterations from 10 thousand to 10 million, "making his and his colleagues' investigative work harder." This extended brute force crack time from a few days to two months, leading to Flatley stating that Apple is "pretty good at evil genius stuff." No detailed context was given regarding his "jerks" comment. Image of Stephen Flatley taken by Lorenzo Franceschi-Bicchierai via Motherboard That means, he explained, that “password attempts speed went from 45 passwords a second to one every 18 seconds,” referring to the difficulty of cracking a password using a “brute force” method in which every possible permutation is tried. There are tools that can input thousands of passwords in a very short period of time—if the attempts per minute are limited, it becomes much harder and slower to crack. "Your crack time just went from two days to two months," Flatley said. “At what point is it just trying to one up things and at what point is it to thwart law enforcement?" he added. "Apple is pretty good at evil genius stuff." Flatley's comments come

'ProtonMail Bridge' Brings Encryption to Outlook, Thunderbird, and Apple Mail

Swiss-based encrypted email provider ProtonMail today announced Bridge, an app for premium account holders that aims to bring easy-to-use email encryption to desktop email clients like Outlook, Thunderbird, and Apple Mail. One of our goals has always been to bring easy-to-use encrypted email to desktop. The problem is formidable. Desktop systems encompass multiple operating systems with dozens of popular email clients with their own adherents, and virtually none of them natively speak PGP, the email encryption standard upon which ProtonMail is built. Around two years ago, we created a small task force to tackle this challenge. Today, we are finally ready to present ProtonMail Bridge.Basically, the downloadable Bridge app enables ProtonMail users to access their encrypted email accounts using their favorite email client, without compromising on the security provided by the end-to-end encrypted service, and without needing to modify their email application. At the same time, local copies of the emails are stored on the user's computer, allowing them to use the search features of their email client as normal. To achieve this, the Bridge app functions like a local IMAP/SMTP email server capable of communicating with the remote ProtonMail server to encrypt and decrypt incoming/outgoing messages locally. In this way, it translates end-to-end encrypted email data into a language that any email client can understand, thus "bridging" the gap between ProtonMail's end-to-end encryption and a user's standard email client. The Bridge app aims to fit right into email clients

Signal Encrypted Messenger 2.19 Update Finally Available Following App Store Hiccup

Encrypted messaging app Signal pushed out its v2.19 update late on Friday after a post-release 48-hour delay, owing to an App Store issue that Apple has now resolved. The update includes a number of new features and improvements, including full UI display support for iPhone X. After the update is applied, users will no longer see the "Load Earlier Messages" link within chat threads, because additional messages now appear automatically upon scrolling to the top of a conversation. In other improvements, a new simplified interface has been introduced to the Signal mobile app that aims to make sending photos, files, and GIFs easier and quicker. For example, attachment previews are now displayed directly in the message bar instead of on a separate confirmation screen. Adopting a design concept popularized by Facebook Messenger known as "Jumbomoji", emoji characters are now also visibly larger in Signal chat bubbles that don't contain any other text. Elsewhere, messages that fail to send have been made easier to spot and re-send, while a new "Tap for More" option should make navigating extremely long messages a more pleasant experience. The list of supported languages has also been expanded to include Burmese, Hebrew, and Persian, while users with an external keyboard linked to their device can now make use of new key combination shortcuts for sending messages (Shift + Enter, and Command + Enter). Apart from the above changes, Open Whisper Systems has revamped the layout code to improve performance and flexibility, so everything should feel smoother and more

Keybase Launches Teams, a Free End-to-End Encrypted Alternative to Slack

Encryption messaging company Keybase launched a Slack-like open source team communications tool on Monday for macOS and iOS platforms. Called Keybase Teams, the fully encrypted platform supports groups as large as 500 people, with free access to a team's message history. Keybase is a new and free security app for mobile phones and computers. For the geeks among us: it's open source and powered by public-key cryptography. Keybase is for anyone. Imagine a Slack for the whole world, except end-to-end encrypted across all your devices. Or a Team Dropbox where the server can't leak your files or be hacked.Like Slack, once users have created a team in Keybase they can begin generating chats and channels. It's also possible to share encrypted files with team members.  Unlike Slack accounts however, users don't have to switch at the top level of the app. Teams can be casual and small, allowing them to blend into the user's inbox, while teams with multiple chat channels are grouped under "Big teams". Keybase Teams is a free download for Mac from the Keybase website, while the Keybase chat app is available for iPhone and iPad on the App Store. [Direct Link

'Real People' Don't Need Encrypted Messaging Services, Claims U.K. Home Secretary

The U.K. home secretary Amber Rudd has argued that "real people" do not want secure end-to-end encryption on messaging platforms and are more concerned with usability and features than unbreakable security (via Yahoo News). Rudd made her case in a newspaper article, published ahead of a meeting today with technology companies in San Francisco, where she will warn tech giants that their services are being misused by terrorists. Writing in The Daily Telegraph, Rudd said: "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? "So this is not about asking the companies to break encryption or create so-called 'back doors'. "Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie. "Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."Rudd's comments were immediately criticized by privacy campaigners, with civil liberties organization Big Brother Watch calling her viewpoint "at best naïve, at worst dangerous". "Suggesting that people don't really want security from their online services is frankly insulting," said Renate Samson, chief executive of BBW. "What of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime." "Once again the government are attempting to undermine the security of all in response to the

Changes to iCloud Put Apple on Collision Course With Governments Seeking Access to Encrypted Messages

Apple has sent its top privacy executives to Australia twice in the past month to lobby government officials over proposed new laws that would require companies to provide access to encrypted messages. According to the Sydney Morning Herald, Apple privacy advocates met with attorney general George Brandis and senior staff in Prime Minister Malcolm Turnbull's office on Tuesday to discuss their concerns about the legal changes, which could compel tech companies to provide decryption keys to allow access to secure communications such as that provided by WhatsApp and iMessage. Apple has consistently argued against laws that would require tech companies to build so-called "back doors" into their software, claiming that such a move would weaken security for everyone and simply make terrorists and criminals turn to open-source encryption methods for their digital communications. While Apple's position is clear, the Turnbull government has yet to clarify exactly what it expects tech companies to give up as part of the proposals. A source familiar with the discussions said that the government explicitly said it did not want a back door into people's phones, nor to weaken encryption. However, given that encrypted services like WhatsApp and iMessage do not possess private keys that would enable them to decrypt messages, a back door would seem the only alternative. "If the government laid a subpoena to get iMessages, we can't provide it," CEO Tim Cook said in 2014. "It's encrypted and we don't have a key." As it happens, Cook's comment only applies to iMessages that

Encrypted Chat App Telegram to Remove Terrorist Content Following Ban Threat in Indonesia

Telegram is to form a team of moderators to remove terrorist-related content from the encrypted messaging platform in Indonesia, after the country's government threatened to ban the app. Indonesia's Ministry of Communications and Information Technology has already blocked access to the web version of the chat platform, citing concerns that it was being used to spread "radical and terrorist propaganda" in the country, according to Reuters. "This has to be done because there are many channels on this service that are full of radical and terrorist propaganda, hatred, ways to make bombs, how to carry out attacks, disturbing images, which are all in conflict with Indonesian law," the communications ministry said in a statement on its website.Telegram co-founder Pavel Durov said on Sunday that the service had blocked channels reported by the government and that it would take further action to remove the illegal content. "We are forming a dedicated team of moderators with knowledge of Indonesian culture and language to be able to process reports of terrorist-related content more quickly and accurately," Durov said in a Telegram post quoted by Associated Press.Telegram has been criticized by governments before for its use by terrorist groups to spread propaganda and recruit members. Last month Telegram agreed to provide basic information about the company to Russia after authorities threatened to block access to the service. Despite pressure from governments, Telegram's founders have refused to bow to demands for backdoors into the platform for authorities to access

Australia Proposes Law That Would Compel Tech Companies to Decrypt Messages

Australia on Friday proposed new laws that would require companies like Apple to provide law enforcement authorities with access to encrypted communications (via Reuters). Australia's proposed legislation will compel companies to help security agencies intercept and read messages sent by suspects. It appears to take cues from the U.K.'s Investigatory Powers Bill, which includes provisions that require technology companies to bypass encryption where technically feasible. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Australian Prim Minister Malcolm Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."The proposal will be introduced when parliament resumes in August and could be adopted within months, according to lawmakers. Other nations have said they will introduce similar laws. Apple, along with Facebook, Google, and other major tech companies, have historically opposed such law changes, which they say threaten online security protocols. For example, Apple claimed the U.K.'s recent bill would "weaken security" for millions of law-abiding customers. "The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," Apple stated in December 2015. "A key left under the doormat would not just be there for the good guys. The bad guys

Australia to Push for Greater Powers on Encrypted Messaging at 'Five Eyes' Meeting

Australia is set to push for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals, according to reports on Sunday (via Reuters). The topic will be addressed this week at a meeting of officials from the "Five Eyes" intelligence sharing network, which includes the U.S., the U.K, Canada, Australia, and New Zealand. Australia claimed the increasing use of strong encryption on smartphones and other devices was hindering law enforcement's capacity to gather and act on intelligence, and said it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications. Security experts and privacy groups regularly argue that any such methods would simply weaken overall security for everyone. "I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption," Australian Attorney General Senator Brandis said in a joint statement. "These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies."The announcement followed the U.K. government's recent statement of intent to pressure technology companies to do more to put an end to the "safe spaces" that the internet offers extremists. The country has also called for measures to "regulate cyberspace", following terror attacks in the country. In related news, a leaked draft technical paper prepared by the U.K. government states that technology companies would be required to remove

Russia Threatens to Ban Encrypted Messaging App Telegram

Russia has threatened to block access to the Telegram messaging platform unless the company that runs the app provides more information about itself (via Sky News). The head of communications regulator Roskomnadzor, Alexander Zharov, said repeated efforts to obtain the information had been ignored by the company and warned that "time is running out" for the app. "There is one demand and it is simple: to fill in a form with information on the company that controls Telegram," Zharov said in an open letter. "And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."Telegram's non-response appears to be down to the repercussions of handing over the requested details: Doing so would effectively add it to the state regulators' registry, which would require it to retain users' chat histories and encryption keys and share them with authorities if asked, according to Russian news agency TASS. The demand isn't the first time the Russian founders of Telegram – Kremlin, Nikolai and Pavel Durov – have failed to comply with state requests. In 2014, the Durovs refused to turn over data on Ukranian users of Vkontakte, a social network they also set up together. Telegram claims to split its encryption keys into separate data centers around the world to ensure "no single government or block of like-minded countries can intrude on people's privacy and freedom of expression". According to the group's policy, it can

Swiss Encrypted Email Provider Launches ProtonVPN With Free Subscription Tier

Encrypted email provider ProtonMail today launched its own VPN service called ProtonVPN, which includes a free user tier in its pricing plan. The Swiss-based company said it had been testing its VPN service for four months with the help of over 10,000 members of the ProtonMail community, and the group was ready to make ProtonVPN available to everyone starting Tuesday. The Proton group said they were motivated to create ProtonVPN to combat increased threats to online freedom, such as the recent repeal of Obama-era rules designed to protect consumer internet browsing history, calls by British Prime Minister Theresa May for increased online surveillance, and the attempts by the U.S. FCC to dismantle net neutrality. "In the past year, we have seen more and more challenges against Internet freedom," said ProtonMail Co-Founder Dr. Andy Yen, "now more than ever, we need robust tools for defending privacy, security, and freedom online. "The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them," said Yen. "This is why, as with ProtonMail, we're committed to making a free version of ProtonVPN available to the world."The group says it has worked to make the best possible VPN service by addressing many of the common pitfalls with existing VPNs. Features therefore include a Secure Core architecture that routes traffic through multiple encrypted tunnels in multiple countries to better defend against network based attacks, a no logs policy backed by

Encrypted Messaging App 'Signal' Approved for Use by U.S. Senate

The U.S. Senate has approved popular encrypted messaging app Signal for official use by staffers in the chamber, it was revealed yesterday (via ZDNet). The news came in a letter sent on Tuesday by Senator Ron Wyden (D-OR), known to be a staunch privacy advocate, in which he underlined his belief that "backdoor-free" encryption should be embraced by the state at all levels rather than something the government should fear. I have long argued that strong, backdoor-free encryption is an important cybersecurity technology that the government should be embracing, not seeking to regulate or outlaw. My own Senate website, which has used HTTPS by default since 2015, was the first Senate website to do so. With the transition to default HTTPS for all of the other Senate websites and the recent announcement by your office that the end-to-end encrypted messaging app Signal is approved for Senate staff use, I am happy to see that you too recognize the important defensive cybersecurity role that encryption can play.Signal by Open Whisper Systems is widely considered by security experts to be the most secure mobile messaging platform on iOS and Android, due to features like end-to-end encryption of text, picture, and video messages, support for private calling, and a lack of separate logins. Members of Congress are for the most part exempt from record-keeping laws, so long as encrypted communications are not "historically valuable", or do not include committee documents. However, workers of the federal government and those who work directly with the president are governed by

ProtonMail Launches Tor Onion Site to Evade State Censorship

Encrypted email provider ProtonMail has launched its own onion address, allowing users to access the service over the Tor anonymizing network (via TechCrunch). The Swiss-based email account provider, which has more than 2 million users, said the measure was aimed at defending against state-sponsored censorship, and pointed to recent moves around the world to block encrypted communications and expand surveillance. ProtonMail said it was worried about increased attacks on online privacy, such as encryption messaging app Signal being blocked in Egypt, and the UK passing expansive surveillance legislation which mandates tracking of web activity. The service also reported a bump in registrations following President-Elect Donald Trump's election win, with web users said to be seeking a non-U.S. based secure email provider in case of a broad expansion of online surveillance activity. "Given ProtonMail's recent growth, we realize that the censorship of ProtonMail in certain countries is inevitable and we are proactively working to prevent this," said co-founder Andy Yen in a statement on the launch. "Tor provides a way to circumvent certain Internet blocks so improving our compatibility with Tor is a natural first step."ProtonMail can now be reached over the Tor network directly using the onion address https://protonirockerxow.onion. The provider has also posted instructions on how to access the site on iOS devices, although it is currently looking into problems with access via the free Onion Browser app. ProtonMail is a free download for iPad and iPhone on the App

Leaked Documents Reveal What Kind of Data Cellebrite Can Extract From iPhones

Israeli mobile software developer Cellebrite gained media attention earlier this year when rumors suggested the FBI recruited the company to unlock San Bernardino shooter Syed Farook's iPhone. While the FBI did not enlist Cellebrite's help, the company does have technology licensed by governments that can extract iPhone data. ZDNet has obtained documents that reveal the scope of this technology. The leaked files are "extraction reports," which are organized to allow investigators to easily see and analyze data from a phone. Extraction is conducted by plugging the phone into a Cellebrite UFED device. While the device is primarily for extracting information currently on the phone it can, in some cases, extract recently deleted items. The phone at the heart of ZDNet's extraction report was an non-passcode protected iPhone 5 running iOS 8. The first couple pages of the report include case numbers and unique identifying information for the device, including phone number, IMEI numbers and Apple ID. In these first pages, the report also divulges which plugins the software used to extract information from the device. These plugins can help the software extract data from QuickTime and iPhone backups. The report compiles geolocation data from every photo taken on the device and visualizes it on a map, allowing an investigator to easily see when and where a person was. Text messages are organized in chronological order, which makes it easier for investigators to track conversations. The wireless networks a device has connected to are also logged, including the MAC

Facebook Completes Rollout of Messenger App End-to-End Encryption

Facebook has announced that the rollout of cryptographic features for its massively popular Messenger chat service has completed, bringing end-to-end encryption to the largest messaging network in existence. Back in July, the social network company said it was testing the privacy feature on a limited basis which would eventually be rolled out to all 900 million users of the app. On Tuesday, Facebook told Wired that rollout had finished. Messenger now implements the same highly regarded cryptographic Signal Protocol that the company's WhatsApp platform uses to encrypt messages, but the Messenger app needs to be updated and the feature turned on for it to work. A new "Secret Conversations" option can now be found at the top-right of the app's New Message screen, provided that users have enabled the option from the Me profile settings screen. The encryption protocol covers one-to-one text chats and stickers used within threads, but does not currently support the use of videos and GIFs. Messenger users who update the app will also get to use a new Snapchat-style option that erases messages after a specified duration. Messenger is free on the App Store [Direct Link] for iPhone, iPad, and Apple Watch.

Tim Cook Tells Utah Tech Audience: Encryption 'Makes the Public Safe'

Apple CEO Tim Cook drew cheers from a Salt Lake City audience on Friday as he reiterated the company's unwavering commitment to encryption and privacy protections for its customers, according to local media reports. The comments were made during a Q&A session at the yearly meeting of the Utah Technology Council (UTC), a trade and advocacy group representing more than 5,000 technology and life-sciences companies across the U.S. state. The 55-year-old CEO was invited along with Utah senator Orrin Hatch to take the stage at the Grand America Hotel and field questions from a public audience. Tim Cook in Q&A with senator Orrin Hatch Calling encryption "one of the biggest issues we face," the CEO noted that most iPhone users have more personal data on their phones than in their homes. "Encryption is one of the things that makes the public safe," he said. "We feel we have a responsibility to protect our customers." "We believe the only way to protect both your privacy and safety from a cyberattack is to encrypt," Cook told about 1,400 industry executives, tech workers and Apple fans. "We throw all of ourselves into this and are very much standing on principle in this."Cook was responding to questions regarding the lingering impact of Apple's dispute with the FBI over the agency's demand that it build a "back door" into its software, following the use of a locked iPhone by the primary suspect in the San Bernardino mass shooting last December. Apple refused to comply with the request from the federal agency, which dropped its pursuit of the company when investigators

Cryptography Experts Recommend Apple Replace its iMessage Encryption

Apple has implemented a series of short- and long-term defenses to its iMessage protocol after several issues were discovered by a team of researchers at Johns Hopkins University, according to a report published today (via PatentlyApple). This attack is different to the one Johns Hopkins researchers discovered in March, which allowed an attacker to decrypt photos and videos sent over iMessage. The technical paper details how another method known as a "ciphertext attack" allowed them to retrospectively decrypt certain types of payloads and attachments when either the sender or receiver is still online. The scenario requires that the attacker intercepts messages using stolen TLS certificates or by gaining access to Apple's servers. While the attack takes a high level of technical expertise to be successful, the researchers note that it would be well within the means of state-sponsored actors. Overall, our determination is that while iMessage’s end-to-end encryption protocol is an improvement over systems that use encryption on network traffic only (e.g., Google Hangouts), messages sent through iMessage may not be secure against sophisticated adversaries.The team also discovered that Apple doesn't rotate encryption keys at regular intervals, in the way that modern encryption protocols such as OTR and Signal do. This means that the same attack can be used on iMessage historical data, which is often backed up inside iCloud. In theory, law enforcement could issue a court order forcing Apple to provide access to their servers and then use the attack to decrypt the

Facebook Testing End-to-End Encryption in Messenger

Facebook has announced that it will begin rolling out optional end-to-end encryption within its Messenger app for iOS and Android on a limited test basis, ahead of the option becoming more widely available through early September. Messenger users will be able to create one-to-one "Secret Conversations" in Messenger that will be end-to-end encrypted and which can only be read on one device of the person they are communicating with. Within secret conversations, Messenger users will have the option to set a timer to control the length of time each message sent remains visible within the conversation. The technology is based on the Signal Protocol by Open Whisper Systems [PDF]. Facebook said secret conversations do not currently support rich content like GIFs and videos, making payments, or other popular Messenger features. End-to-end encryption will not be enabled by default, and secret conversations will not be available through Messenger.com, Facebook chat, or the desktop Messenger app for now, per TechCrunch, which also explained how to start a secret conversation:…just tap on your friend's name at the top of your current message thread. If you're part of Facebook's test group, you'll see an option called "Secret Conversation." Once you click it, a new conversation thread opens, with a notice at the top informing you that the chat is end-to-end encrypted. The timer feature that allows messages to be erased after a certain time period has elapsed is located right next to the text field. It offers a drop-down list of times you can select for how long you

Apple-Opposed 'Investigatory Powers' Surveillance Bill Moves Closer to Legality in UK

The United Kingdom's House of Commons this week passed the controversial "Investigatory Powers" bill, which gives spy and government agencies the ability to "engage in bulk surveillance and computer hacking," and has met stern opposition from various technology companies, including Apple. In the House of Commons, the bill passed by a vote of 444 to 69 (via Bloomberg). The original wording of the bill required companies to build anti-encryption backdoors into their software -- a point of contention Apple fought over repeatedly against the FBI this year -- and the storing of website records for every UK citizen by web and phone companies. The updated version of the bill passed this week introduced slight alterations to these rules, which could ultimately play in the favor of companies like Apple, Google, and Microsoft in the UK. The updated bill clearly states that companies aren't required to install backdoors to get around encryption when a government agency requests it, with one exception: if taking such an action "is technically feasible and not unduly expensive," the company could face the same request the US government gave Apple earlier in the year. Of course, the exact definition of what would be "technically feasible and not unduly expensive" isn't divulged in the bill. If the bill ultimately becomes law, these definitions would be left to the decision-making of a British judge on a case-by-case basis. According to Apple and CEO Tim Cook, if the company would have been required to introduce a workaround to grant unlimited access to terrorist Syed Farook's

Facebook Considering Optional End-to-End Encryption for Messenger

Facebook is planning to introduce an optional end-to-end encryption mode for its Facebook Messenger chat platform, currently used by more than 900 million people, reports The Guardian. Citing sources "close to the project," The Guardian says the encryption will be an opt-in feature because turning it on will impact some of the new machine learning features being built into the Messenger app like chat bots. Google's upcoming "Allo" messaging app also offers an opt-in end-to-end encryption option it calls "incognito mode." Many major technology companies have taken a stronger stance on privacy, embracing end-to-end encryption following Apple's standoff with the FBI. Earlier this year, the FBI demanded Apple unlock the iPhone 5c used by San Bernardino shooter Syed Farook by bypassing Apple's own passcode security features. Apple refused, and the FBI eventually found an alternate way to access the iPhone, but the dispute has scared technology companies into bolstering security. Dozens of major technology companies supported Apple during its fight with the FBI, all of whom were concerned about the precedent the FBI's demand could set. Popular Facebook-owned messaging app WhatsApp enabled full end-to-end encryption in April, and in March, Swiss software developer Proton Technologies released ProtonMail, an email app offering end-to-end encryption. Apple is also rumored to be working on enhanced security measures for its software and hardware, and apps like Telegram Messenger have grown in popularity. It is not clear exactly when Facebook might introduce new