security

Jump to How Tos Articles

'security' How Tos

How to Use Firefox Private Network to Encrypt Your Web Traffic

Mozilla this week began piloting its own browser-based VPN service, and if you're located in the U.S. you can start testing it for free right away. Called the Firefox Private Network, the service promises Firefox users a more secure, encrypted path to the web that prevents eavesdroppers from spying on your browsing activity and hides your location from websites and ad trackers. In that respect, it won't protect any internet traffic outside of your web browser, but it's a good option if you want to use an encrypted connection on the fly when you're using Firefox on a public Wi-Fi network, for example. As a time-limited beta, the Firefox Private Network is currently free to try, although this does suggest it may become a paid service in the future. You also need to be a U.S. resident logged into your Firefox account using Firefox desktop browser. If you can fulfill those pre-requisites, you can install the private network by navigating to this page, clicking the blue + Add to Firefox button, then granting permission for the network to be added to the browser. Click the door hanger icon that appears at the top-right corner of the toolbar, and you'll see a switch that you can use to toggle the VPN on and off. A green tick in the icon indicates the secure network is active and your browsing activity is being encrypted. Opera browser offers a similar free VPN service that cloaks your web browsing, but with the added benefit that it lets you choose the continent that you want your connection to reside. So if you're looking to access a location-restricted

How to Encrypt a USB Flash Drive in macOS Mojave

In macOS Mojave, you can choose to encrypt and decrypt disks on the fly right from the desktop. Using this convenient Finder option, we're going to show you how to encrypt a USB flash drive (or "thumb drive"), which is useful if you're traveling light and want to take sensitive data with you for use on another Mac. Finder uses XTS-AES encryption, the same encryption that FileVault 2 uses to prevent access to data on a Mac's startup disk without a password. Note that the following method is only compatible with Macs – you won't be able to access data on the encrypted drive using a Windows machine. If this is a requirement, you'll need to use a third-party encryption solution like VeraCrypt. With that in mind, here's how to securely encrypt your USB flash drive. Attach the USB flash drive to your Mac and locate its disk icon on your desktop, in a Finder window, or in the Finder sidebar, then right-click (or Ctrl-click) it and select Encrypt "[USB stick name]"... from the contextual menu. (Note that if you don't see the Encrypt option in the dropdown menu, your USB flash drive hasn't been formatted with a GUID partition map. To resolve this, you'll need to erase and encrypt the USB drive in Disk Utility – before that though, copy any data on the drive to another location for temporary safekeeping.) When you select Encrypt, Finder will prompt you to create a password, which you'll need to enter the next time you attach the USB flash drive to a Mac. (Don't forget this, otherwise you'll lose access to any data stored on the USB drive!) Once you've chosen a

How to Use Secure Code AutoFill in iOS 12 and macOS Mojave

Most readers will have at some point received a two-factor authentication code delivered to them by SMS text message. Many apps and websites send the one-time codes to confirm that the person attempting to log in to an account is the legitimate account holder, and not just someone using a stolen password. Depending on how notifications are set up on your iPhone, receiving a code via text message may mean that you have to switch out from the app or website to read the message and memorize or copy the code, and then switch back to paste it or type it into the login screen manually. To make this process less of a hassle, Apple is introducing Security Code AutoFill for iOS 12. The new feature ensures that SMS one-time passcodes that you receive instantly appear as AutoFill suggestions in the QuickType bar above the virtual keyboard, letting you input them in the passcode field with a simple tap. If you've enabled Text Message Forwarding on your iPhone, you can use the Secure Code AutoFill feature in macOS Mojave, too. The code should appear in Safari as an AutoFill option in the relevant field as soon as the SMS is delivered to Messages on your Mac. iOS and macOS use local data detector heuristics to work out whether an incoming message carries a security code, and Apple says the Security Code AutoFill feature does not alter the security of this two-factor authentication method. So as long as developers craft their secure code text messages correctly, Security Code AutoFill should work in all third-party apps updated for iOS 12 and macOS Mojave, which are

How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how. How Two-Factor Authentication Works 2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know. With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred. In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA. How to Turn Off Two-Step Verification Open a browser and go to appleid.apple.com Enter your Apple ID and password in the login fields. In the Security section of your account page, click the Edit

'security' Articles

Google Pixel 4's Face Unlock Feature Works With Eyes Closed, Sparking Security Concerns

Google has ignited security concerns over the facial authentication system in its new Pixel 4 smartphone by admitting that it will unlock the device even when the user's eyes are shut. Google unveiled the Pixel 4 this week to mostly positive reviews, many of which praised the phone for its super-fast new face unlock system, which replaces the fingerprint sensor and works much the same as Apple's Face ID on iPhones, except for one key security feature. The BBC has discovered that the Pixel 4 can be unlocked even with the user's face even if they're sleeping (or pretending to be asleep). That contrasts with Apple's Face ID system, which engages by default an "Attention Aware" feature that requires the user's eyes to be open for the iPhone to be unlocked. Attention Aware can be disabled for convenience, but the Pixel 4 lacks an equivalent security feature entirely. Proof, for those asking #madebygoogle #pixel4 pic.twitter.com/mBDJphVpfB— Chris Fox (@thisisFoxx) October 15, 2019 To its credit though, Google isn't hiding this fact. A Google support page reads: "Your phone can also be unlocked by someone else if it's held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag." To "prepare for unsafe situations," Google recommends holding the power button for a couple of seconds and tapping Lockdown, which turns off notifications and face recognition unlocking. In early leaks of the Pixel 4, screenshots revealed a "require eyes to be open" setting for face unlock, so it looks as if Google tried to

Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user's local data but also all their device's communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft. According to a report from the Financial Times [paywalled], the latest Pegasus spyware sold by NSO Group is being marketed to potential clients as a way to target data uploaded to the cloud. The tool is said to work on many of the latest iPhones and Android smartphones, and can continue to harvest data even after the tool is removed from the original mobile device. The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location. This grants open-ended access to the cloud data of those apps without "prompting 2-step verification or warning email on target device", according to one sales document. Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target's location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn't specifically deny that it had developed the capability described in the documents. In response to the report, Apple told FT that

Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams [Updated]

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh. In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed. The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability. In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app. Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app. While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting. Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page. Helpfully, the bottom

Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3

Israel-based software developer Cellebrite, known for breaking into mobile devices like the iPhone to obtain sensitive data, has announced that it can now unlock any iOS device running up to iOS 12.3, which was released only a month ago. The firm revealed the capability in a tweet posted late Friday advertising UFED Premium, the latest version of its Universal Forensic Extraction Device. On its UFED web page, Cellebrite describes the tool's ability to glean forensic data from any iOS device dating back to iOS 7, as well as from Android devices made by Samsung, Huawei, LG, and Xiaomi. The Israel firm describes UFED Premium as "the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices." If the claims are accurate, Cellebrite's tool will enable authorities to potentially crack the vast majority of smartphones currently available on the market. As Wired notes, no other law enforcement contractor has made such broad claims about a single product, at least not publicly. Apple continually introduces improvements to the security of its operating systems in order to keep ahead of companies like Cellebrite that are always searching for flaws and vulnerabilities to exploit in order to access the data on locked iOS devices. For example, in October 2018 Apple's successfully thwarted the "GrayKey" ‌iPhone‌ passcode hack, sold by Atlanta-based company Grayshift, which had also been in use by U.S. law enforcement. Cellebrite first garnered significant attention in 2016,

Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages

Apple and other tech giants have joined civil society groups and security experts in condemning proposals from Britain's cybersecurity agency that would enable law enforcement to access end-to-end encrypted messages (via CNBC). British Government's Communications HQ in Cheltenham, Gloucestershire In an open letter to the U.K.'s GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp urged the U.K. eavesdropping agency to ditch plans for its so-called "ghost protocol," which would require encrypted messaging services to direct a message to a third recipient, at the same time as sending it to its intended user. Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis, published details of the proposal in November 2018. In the essay, Levy and Robinson claimed the system would enable law enforcement to access the content of encrypted messages without breaking the encryption. The officials argued it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," and claimed this would be "no more intrusive than the virtual crocodile clips," which are currently used in wiretaps of non-encrypted chat and call apps. Signatories of the letter opposing the plan argued that the proposal required two changes to existing communications systems that were a "serious threat" to digital security and fundamental human rights, and would undermine user trust. "First, it would require service providers to

CES 2019: Arlo Unveils HomeKit-Enabled Ultra 4K HDR Security Camera and All-in-One Home Security System

Arlo Technologies today announced its new Arlo Ultra 4K wire-free HDR security camera and Arlo Security System, the latter of which is being billed as a comprehensive security solution for the home or business. The HomeKit-compatible Arlo Ultra 4K HDR video camera features both color and black and white night vision via an LED integrated spotlight, a 180-degree panoramic field-of-view lens, and two-way audio with advanced noise cancelation. The Arlo Ultra ships with the Arlo SmartHub, which will also become Zigbee and Z-Wave compatible in the second half of 2019, allowing users to control a wide range of "Works with Arlo" certified third-party smart home devices via the Arlo app. As part of the Arlo ecosystem, the SmartHub will also support the newly announced Arlo Security System, which consists of the Arlo Multi-Sensor, Arlo Siren and Arlo Remote, to form a comprehensive security solution. The Arlo Multi-Sensor detects windows and doors opening and closing, motion, smoke and carbon monoxide alarms, water leaks, temperature changes and more. The battery-operated Arlo Siren features a loud siren accompanied by a red strobe light to deter intruders. Users can also enable presence simulation to emit audio sounds, such as dog barking or TV audio. In addition, a built-in melody can be activated to notify users of specific events, such as the Multi-Sensor detecting a door opening. Meanwhile, the Arlo Remote lets owners arm and disarm the system without using the Arlo mobile app. It also features two customizable buttons that can be programed to

Australia Passes Controversial Encryption Bill Despite Opposition From Apple and Other Tech Companies

The Australian parliament on Thursday passed controversial encryption legislation that could result in tech companies being forced to give law enforcement access to encrypted customer messages. As we reported in October, Apple opposed the legislation in a seven-page letter to the Australian parliament, calling the encryption bill "dangerously ambiguous" and wide open to potential abuse by authorities. Advocates of the bill, officially titled "Assistance and Access Bill 2018," argue it is essential to national security because encrypted communications are used by terrorist groups and criminals to avoid detection. CNET provided a breakdown on the Australian bill and the three tiers of law enforcement and state agency assistance it covers: Technical assistance request: A notice to provide "voluntary assistance" to law enforcement for "safeguarding of national security and the enforcement of the law." Technical assistance notice: A notice requiring tech companies to offer decryption "they are already capable of providing that is reasonable, proportionate, practicable and technically feasible" where the company already has the "existing means" to decrypt communications (e.g. where messages aren't end-to-end encrypted). Technical capability notice: A notice issued by the attorney general, requiring tech companies to "build a new capability" to decrypt communications for law enforcement. The bill stipulates this can't include capabilities that "remove electronic protection, such as encryption."The Australian government insists that the laws don't provide a

Complex Passcode Bypass Method Exposes iPhone Contacts and Photos in iOS 12

A passcode bypass vulnerability has been discovered in iOS 12 that potentially allows an attacker to access photos and contact details on a locked iPhone. The rather convoluted bypass method was shared in a video by Jose Rodriguez, who has discovered iOS bugs in the past that Apple has subsequently fixed. With physical access to the locked device, the attacker first asks Siri to activate VoiceOver, sleeps the device with the Side button, and then calls the iPhone using another device. Once the call screen shows up, the attacker taps the Message button, opts to create a custom message, and then taps the plus (+) icon in the top right. Next, on the other phone, the attacker sends a text or iMessage to the target iPhone, whose screen is then double-tapped when the message notification appears. This causes an odd behavior in the UI, since it highlights the plus icon underneath. After a short wait, the screen goes white and the notification disappears, but the VoiceOver's text selection box is apparently still tappable and can now be used to access the Messages interface. Following multiple screen swipes, the VoiceOver is heard to say "Cancel," which reveals the original Messages screen. Adding a new recipient to the message and selecting a numeral from the virtual keyboard then reveals a list of recently dialed or received phone numbers and contacts. Further, if one of the numbers or contacts includes an info ("i") button, disabling VoiceOver and tapping the button shows the contact's information. Performing a 3D Touch action on the contact also brings

British Airways Website and Mobile App Suffer Huge Customer Data Breach

British Airways says it is investigating the theft of customer data from its website and mobile app over a two-week period, during which 380,000 payment cards were exposed (via The Guardian). "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised," the airline revealed in a statement on its website.According to BA, travel and passport information was not accessed during the data breach, but concerned customers are being advised to get in touch with their card issuers in the first instance. The company said all customers affected by the breach had been contacted on Thursday night. "British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice."The airline said it was informed of the hacking by a third party, which is why it was able to continue undetected for two weeks, but the company insists that the breach has been resolved and its website and mobile app are now working

Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari. In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats. The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem. Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application. This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are

Timehop Service Suffers Data Breach Affecting 21 Million Users [Updated]

The company behind social media app Timehop has revealed its servers suffered a data breach in which the personal details of around 21 million users were stolen. The company, whose service integrates with users' social media accounts to display photos and memories they may have forgotten about, said it became aware of the attack as it was happening in the early hours of July 4. In a statement published on Saturday, the company said it was able to shut down its cloud servers two hours and twenty minutes into the attack, but not before a significant number of users' data was stolen. Hackers made off with the names and emails of 21 million users and the phone numbers of 4.7 million users, but no private/direct messages, financial data, social media, photo content, or Timehop data including streaks were affected, according to the company. However, the keys that enable the service to read and send social media content to users were compromised in the breach. Timehop has deactivated the keys as a security measure, but that means users will need to re-enable the app's permission to access their accounts if they want to continue using the service. While we investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens. Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In

ElcomSoft's Latest Tool Can Allegedly Access iMessages in iCloud, But Only in Extreme Circumstances

Russian company ElcomSoft today claimed that the latest version of its Phone Breaker software can remotely access iMessage conversation histories stored in iCloud, although there are several strings attached. Namely, the person attempting to extract iMessages from an iCloud account would need the following before being able to do so:Elcomsoft Phone Breaker version 8.3 The associated Apple ID email and password for the iCloud account The passcode, if an iPhone, iPad, or iPod touch, or system password, if a Mac, of at least one device on the account enrolled in Messages in iCloud, which requires iOS 11.4 and macOS 10.13.5 or later Access to a two-factor authentication method, such as a trusted secondary device, which may or may not have the same passcode or system password, or a SIM card for a phone number that has been authorized to receive one-time verification codes via SMSIt's worth noting that if the perpetrator has obtained physical access to at least one of your trusted secondary devices, and its passcode, they would be able to read at least part of your iMessage history regardless by simply opening the Messages app. Apple obviously cares very deeply about the security of its customers, but if a bad actor has gained access to another person's Apple ID credentials, your passcode, and at least one of your Apple devices, or your SIM card, there arguably isn't really much the company can do at that point to protect you. That's why it's so important, as Apple routinely stresses, to set a strong password for your Apple ID, not share that password with others, e

Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software. The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps. Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure. Ars Technica broke down how the method was used and which third-party tools are affected: The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in

Thousands of Apple ID Passwords Leaked by Teen Phone Monitoring App Server

ZDNet reports that a server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of login credentials, including the Apple IDs of children. The leaked data belonged to customers of TeenSafe, a "secure" monitoring app for iOS and Android that allows parents to view their child's text messages and location, call history, web browsing history, and installed apps. The customer database was reportedly stored on two servers hosted by Amazon Web Services, where it remained unprotected and accessible without a password. The discovery was made by a U.K.-based security researcher specializing in public and exposed data, and the servers were only taken offline after ZDNet alerted the California-based company responsible for the TeenSafe app. "We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The information in the exposed database included the email addresses of parents who used TeenSafe, the Apple ID email addresses of their children, and children's device name and unique identifier. Plaintext passwords for the children's Apple ID were also among the data set, despite claims on the company's website that it uses encryption to protect customer data. Compounding the lax security is the app's requirement that two-factor authentication is turned off for the child's Apple account so that parents can monitor the phone without consent. This means a malicious actor could potentially access a child's

LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow. For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing. Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location. LocationSmart's since-removed trial page via Krebs on Security The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada. In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.Upon discovering

Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past. The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4— Sebastian Schinzel (@seecurity) May 14, 2018 Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted

Russia Bans Access to Telegram Encrypted Messenger Service [Updated]

A Russian law court has ordered that access to the Telegram encrypted messaging service should be blocked, according to Russian news agencies on Friday (via Reuters). The development follows last week's news that Russia's media regulator had filed legal proceedings to block the app in the country because the company refused to enable state security services to access users' messages. The Telegram platform allows people to communicate with each other using end-to-end encryption, meaning no-one – not even Telegram – has access to messages sent between users. The app has over 200 million users globally. They include Kremlin staff, who use Telegram to coordinate conference calls with Vladimir Putin's spokesman. Many government officials also use the messenger app to communicate with media, according to Reuters. When Reuters asked a person in the Russian government on how they would operate without access to Telegram, the person, who asked not be identified due to the sensitivity of the issue, replied by sending a screenshot of his mobile phone with an open VPN app.Telegram becomes the second global network after LinkedIn to be blocked in Russia. In 2016, a court found LinkedIn guilty of violating a law that requires companies holding Russian citizens' data to store it on servers within Russia. Update 04/17: The Russian government has formally requested that Apple remove Telegram from its regional App Store in the country, reports Reuters. Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics,

'ProtonMail Bridge' Brings Encryption to Outlook, Thunderbird, and Apple Mail

Swiss-based encrypted email provider ProtonMail today announced Bridge, an app for premium account holders that aims to bring easy-to-use email encryption to desktop email clients like Outlook, Thunderbird, and Apple Mail. One of our goals has always been to bring easy-to-use encrypted email to desktop. The problem is formidable. Desktop systems encompass multiple operating systems with dozens of popular email clients with their own adherents, and virtually none of them natively speak PGP, the email encryption standard upon which ProtonMail is built. Around two years ago, we created a small task force to tackle this challenge. Today, we are finally ready to present ProtonMail Bridge.Basically, the downloadable Bridge app enables ProtonMail users to access their encrypted email accounts using their favorite email client, without compromising on the security provided by the end-to-end encrypted service, and without needing to modify their email application. At the same time, local copies of the emails are stored on the user's computer, allowing them to use the search features of their email client as normal. To achieve this, the Bridge app functions like a local IMAP/SMTP email server capable of communicating with the remote ProtonMail server to encrypt and decrypt incoming/outgoing messages locally. In this way, it translates end-to-end encrypted email data into a language that any email client can understand, thus "bridging" the gap between ProtonMail's end-to-end encryption and a user's standard email client. The Bridge app aims to fit right into email clients

Signal Encrypted Messenger 2.19 Update Finally Available Following App Store Hiccup

Encrypted messaging app Signal pushed out its v2.19 update late on Friday after a post-release 48-hour delay, owing to an App Store issue that Apple has now resolved. The update includes a number of new features and improvements, including full UI display support for iPhone X. After the update is applied, users will no longer see the "Load Earlier Messages" link within chat threads, because additional messages now appear automatically upon scrolling to the top of a conversation. In other improvements, a new simplified interface has been introduced to the Signal mobile app that aims to make sending photos, files, and GIFs easier and quicker. For example, attachment previews are now displayed directly in the message bar instead of on a separate confirmation screen. Adopting a design concept popularized by Facebook Messenger known as "Jumbomoji", emoji characters are now also visibly larger in Signal chat bubbles that don't contain any other text. Elsewhere, messages that fail to send have been made easier to spot and re-send, while a new "Tap for More" option should make navigating extremely long messages a more pleasant experience. The list of supported languages has also been expanded to include Burmese, Hebrew, and Persian, while users with an external keyboard linked to their device can now make use of new key combination shortcuts for sending messages (Shift + Enter, and Command + Enter). Apart from the above changes, Open Whisper Systems has revamped the layout code to improve performance and flexibility, so everything should feel smoother and more

$199 Wink Lookout Home Security Pack Bundles All-Wink Products for the First Time

Connected smart home company Wink on Tuesday announced its first home security bundle featuring all its own-brand products, rather than including compatible products made by other companies. The Wink Lookout set includes two open/close sensors for use on doors and windows, a motion sensor with pet sensitivity for placement anywhere in the home, a siren and chime alarm with built-in flashlight, and the unifying Wink hub. No subscription is required to use the products, which communicate through the hub and can be monitored using an updated Wink iOS app that features sensor-trip alerts, siren control, and an emergency services/trusted contact call option. The new Wink home security bundle costs $199, which is significantly cheaper than the similar Nest Guard at $499. The Wink Lookout set will be available from October 31 at Home Depot and on Amazon. Sensors can be picked up individually for $29, as can the home motion sensor and siren, which cost $39 each. The set includes free shipping in the U.S. backed by a 30-day return policy. (Via Engadget.)