From getting hacked by Zoombombers to selling software exploits in the Dark Web, Zoom, the video conferencing app, has probably seen it all over the past few weeks.

The software, available both on desktop and mobile, has surged in popularity ever since the Covid-19 lockdown began, and is now feeling the heat as schools and organisations have started moving away from the platform due to security concerns.

But with several million of us hunkering down at home to curb the spread of coronavirus, online collaborations with employees or students via video conferences are important to get the work done. And this brings us to the golden question which video conferencing app should we use?

Now, there are several other video calling apps you can use including Google Duo, Microsoft Skype, Microsoft Teams, AnyDesk etc and you can rank these based on their features. But features are not what we are talking about today, we are talking about their encryption models and how safe are they to use (which is more important than anything right now).

So, to answer this Hindustan Times Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus.

But before we tell you what the experts said, here's a brief about what encryption really means. In simple terms, encryption encodes the information sent from one party and decodes it when it reaches the recipient. This prevents the possibility of infiltration, making video calling and messaging secure. However, how well this system can work depends on the level of encryption that firms, in this case the video calling apps, use.

As explained by Saket Modi, co-founder and CEO of Lucideus, there are three encryption standards: 128-bit encryption, 192-bit encryption and the 256-bit encryption, which is also the most difficult level of encryption to crack. Many have been using AES (Advanced Encryption System) with 256-bit for improved security as well. For instance, all your banking applications use 256-bit encryption. However, when it comes to video calling, there are two main kinds of encryption methods end-to-end encryption and TLS 1.2.

TLS (Transport Layer Security), as the name suggests, ensures secure delivery of data over the Internet between two applications. It however, does not secure data on the end systems (your smartphones and your computers).

So, what encryption platform is Zoom using?

As mentioned by Zoom in its support page, the TLS 1.2 with AES 256-bit algorithm is only used for the desktop clients right now. However, "for dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's datacentre and is transferred to the participant's phone network," says Zoom.

What's worth adding is that while Zoom did mention it uses end-to-end encryption before for all calls, it never actually did. The firm even apologised for it later in a blog post and even faced a class-action lawsuit for overstating privacy standards and not disclosing that its service was not end-to-end encrypted.

What about the alternatives?

When we asked Microsoft about Skype's encryption model, the Redmond-based tech firm said that it "does not store any Skype video or audio calls, and chat messages are stored to enable sync across devices, but can be deleted".

The representative even pointed us towards the Skype support page that duly mentions the use of AES (Advanced Encryption Standard) "which is used by the US Government to protect sensitive information, and Skype has for some time always used the strong 256-bit encryption".

While for instant messages, Microsoft uses TLS to encrypt messages between Skype and other chat services that are based on Microsoft's cloud. However, it uses AES when the messages are sent between two Skype clients.

The spokesperson added that Skype has seen a growth over the past one month. "Skype has seen an increase in usage, with 40 million people using it daily, up 70% month over month and, we are seeing a 220% increase in Skype to Skype calling minutes month over month."

AnyDesk, another team collaboration app, confirmed to HT Tech that it uses TLS 1.2 encryption platform. "In addition to that, we use 2048bit RSA (standard cryptographic algorithm) or 256bit Elliptic curve DH asymmetric key exchange and AEAD to verify every single connection. The combination of TLS 1.2 and 2048bit RSA or 256bit Elliptic key exchanges mean that each connection is wrapped in multiple layers of security."

The firm adds that if any modification is detected in the connection signal, the connection drops automatically, which makes it difficult for man-in-the-middle attacks, something Zoom has witnessed thanks to Zoombombers and Zoom raiders.

AnyDesk claims that it has seen an increase of 200-500% in usage in certain regions across the world.

When HT Tech asked the Google Duoteam about the encryption platform they use, the team had no comments but pointed us towards one of their support pages. Although the page did say that Duo uses end-to-end encryption for all video and audio calls, it failed to provide details on the standards that are being used.

But, should you use Zoom or not? Lucideus CEO Saket Modi pointed out that although the firm has been transparent about the loopholes lately and has started making the platform more secure, it is still not recommended given its track record.

But in case you are already using Zoom, and still have to use it, the security protocols must be enabled. The Hindustan Times (New Delhi)/Tribune News Service

Read the original:
Zoom hack: What about the encryption models used by Microsoft, Google, and AnyDesk? - The Star Online

Last updated on April 19, 2020

From becoming hacked by Zoombombers to promoting applications exploits from the Dark Internet, Zoom, the video conferencing program, has likely seen it throughout the last couple of weeks. The software, that is accessible both on desktop computers and mobile, has surged in popularity since the COVID-19 lockdown started, and is now feeling the heat since organizations and schools have begun moving away in the platform because of safety issues.

But with a few million people hunkering down in your home to suppress the spread of coronavirus, online collaborations with students or employees through video conferences are all important for the job done. And that brings us into the gold question that video conferencing program if we use?

But features arent what were speaking about now, were discussing their encryption versions and how secure are they to use (that can be more significant than anything else right now).

Thus, to answer that HT Tech touch base with Microsoft, Google, Anydesk and talked to the CEO of cybersecurity company Lucideus.

However, before we tell you exactly what the specialists said, here is a short about what encryption means. Encryption encodes the data delivered from 1 party and decodes it as it reaches the receiver. This prevents the chance of infiltration, producing video calling and calling protected. But how well this system may work is contingent upon the degree of encryption which companies, in this instance the video calling programs, use.

For example, all of your banking programs utilize 256-bit encryption.

TLS (Transport Layer Security), as its name implies, guarantees secure delivery of information on the net between two programs. It does not secure data on the finish programs (your smartphones along with your computers ).

As stated by Zoom in its service page, the TLS 1.2 using the AES 256-bit algorithm is just used for the desktop customers at the moment. Butto get dial-in participants connecting by telephone, the sound is encrypted before it renders Zooms data center and is moved to the players phone system, states Zoom.

What is well worth is that while Zoom did cite it utilizes end-to-end encryption before for many of calls, it never really did. The company even apologized to it afterward in a blog article and maybe even confronted a class-action lawsuit for overstating privacy criteria rather than revealing that its support wasnt end-to-end encrypted.

After we asked Microsoft about Skype encryption version, the Redmond-based tech company stated that itdoesnt save any Skype audio or video calls, and chat messages have been saved to allow sync over devices, but maybe deleted.

The agent pointed towards the Skype service page that mentions the usage of AES (Advanced Encryption Standard) that is utilized by the US Government to safeguard sensitive data, and Skype has for a while consistently utilized the powerful 256-bit encryption.

But, it utilizes AES once the messages are routed between two Skype customers.

The spokesperson added that Skype has witnessed a rise over the previous month. Skype has witnessed a rise in use, with 40 million people using it every day up 70% over the month and, were seeing with a 220% increase in Skype to Skype calling seconds month .

AnyDesk, yet another team cooperation program, supported to HT Tech it uses TLS 1.2 encryption system. The blend of both TLS 1.2 and 2048bit RSA or 256bit Elliptic important exchanges means that every link is wrapped in many layers of safety.

The company adds that when any alteration is detected from the link sign, the link drops automatically, making it hard for man-in-the-middle strikes, and something Zoom has seen thanks to Zoombombers along with Zoom raiders.

AnyDesk asserts it has seen a rise of 200-500percent in use in certain areas throughout the world.

When HT Tech requested the Google Duo team concerning the security system that they use, the staff had no remarks but directed us towards among the service pages. Even though the webpage did state that Duo utilizes end-to-end encryption for all audio and video calls, it neglected to provide details regarding the criteria that are used.

However, in case you use compressed or maybe not? Lucideus CEO Saket Modi pointed out that even though the company was clear about the loopholes recently and has begun making the system more secure, its still not recommended given its history.

However, in the event youre already utilizing Zoom, and have to use it, then the safety protocols have to be permitted. Weve mentioned a couple of tips here about how you can make Zoom phoning more protected.

Read more:
Zoom hackWe asked Microsoft, Google, AnyDesk in their encryption Versions | - KEYC TV

April 15, 2020Alex Woodie

Customers running IBM i 7.3 got some good news on the security front when IBM announced that the operating system would get support for the latest Transport Layer Security (TLS) protocol, version 1.3. And thats not the only security-related enhancement this group of users received with the new Technology Refreshes.

Last year, IBM gave IBM i shops the ability to use TLS 1.3, which is strongest publicly available encryption protocol used on the Internet today. TLS 1.3 debuted in the summer of 2018 and has since been adopted by nearly a quarter of sites on the Web, according to surveys. Its faster than TLS 1.2, but more importantly, TLS 1.3 is more secure, as it eliminated security ciphers that posed a security vulnerability of their own.

However, IBM i customers had to move to the latest release of the operating system, IBM i version 7.4, to get TLS 1.3. IBM remedied that situation with this weeks introduction of IBM i 7.3 TR8, which adds support for TLS 1.3 in that version of the operating system.

In a COMMON Webcast yesterday announcing the new TRs, IBM i Chief Architect Steve Will acknowledged that IBM was aware of the security shortcoming in IBM i version 7.3 when it shipped 7.4 last year. That support [for TLS 1.3] was put into 7.4, but we knew at the time that putting it into 7.4 was not going to be sufficient, he said.

IBM i 7.3 is still used by 50 percent of the installed base, according to the 2020 version of HelpSystems Marketplace Survey, compared to just 4 percent on IBM i 7.4. Those numbers have surely narrowed, as HelpSystems conducted the survey last fall and many undoubtedly have upgraded since then. But IBM i 7.3 will likely have a significant number of users for years to come, so it behooved IBM to make it as secure as possible.

HelpSystems Marketplace Survey

IBM i shops arent always the most security conscious, as weve come to learn. But IBM clearly understood the importance of adding support for the latest encryption technology to a mainstream and fully supported release of a server operating system that would be around for years.

TLS 1.3, which took 10 years to develop, will eventually replace TLS 1.2, just as TLS replaced Secure Sockets Layer (SSL) technology before that. Nobody is saying TLS 1.2 is unsafe to use (yet), but TLS 1.3 clearly is the encryption technology that forward-looking, security-conscious firms use today.

The key is that all of the support that you might want to talk to the [TLS] 1.2 partners that you have or the [TLS] 1.3 partners that you have are now part of our two most recent releases, 7.4 and 7.3, Will said in the COMMON webcast. Therefore, you can get all the necessary TLS 1.3 attributes. All of that is available to you through the standard mechanism for configuring and for getting information out of IBM.

Companies that use *OPSYS will automatically be presented with the option to use the new TLS 1.3 ciphers, Will said. Those shops that use other mechanisms for managing their SSL/TLS connections will need to manually make the change when IBM i 7.3 TR8 becomes available on May 15.

We also added the system value support back in so that you could identify on your 7.3 system that you wanted to use TLS 1.3 where possible, Will said. In this case, demonstrator need to explicitly add the new values unless they were already using the *OPSYS for the SSL/[TLS] control.

TLS 1.3 is the strongest publicly available encryption for data exchange over the Internet.

IBM also bolstered its support for TLS 1.2 in IBM i 7.4. The cryptographic community has made some changes to TLS 1.2 (which debuted way back in 2008) that will solidify its use going forward. Specifically, it added a handful of new cipher suites, including more elliptic curve algorithms for key exchanges. IBM added support for these TLS 1.2 enhancements with IBM i 7.4 TR1 last fall, and now its giving IBM i 7.3 customers the same support.

Supporting these TLS 1.2 enhancements ensures that IBM i customers can continue exchanging data with their trading partners in an unimpeded manner, Will said.

While most of our clients will want to move to 1.3, they need a partner conversation that can also do 1.2, he said. If youre dealing with somebody who is using 1.2 and hasnt moved to 1.3 yet, you may still want to do things that are stronger in their encryption and so on. TLS 1.2 has some enhancements for that. We put those in 7.4. And now they are also in 7.3.

This situation is similar to what IBM faced back in 2017, when a handful of IBM i 7.1 users were clamoring for IBM to add support for new SSL/TLS ciphers specifically, the elliptic curve encryption algorithms to that operating system.

At that time, IBM i customers were being turned down by their trading partners because they werent using the latest, greatest ciphers, which eliminated their ability to use standard Internet techniques to exchange data. IBM i 7.1 was still supported at the time, but both IBM i 7.2 and IBM i 7.3 were already out. IBM i 7.1 was nearing the end of its (very long) life, and IBM did not want to give these customers any more reason to stay on that release, so it didnt add those new ciphers to 7.1.

However, there is one key difference between IBMs TLS support now and back in 2017: IBM i 7.3 is expected to be around for quite a while (although IBM i 7.2 will be pulled from marketing at the end of April of this year and will be pulled from mainstream support at the end of April 2021). Getting TLS 1.3 running on IBM i 7.3, therefore, was a priority for IBM.

The new Digital Certificate Manager (DCM) interface that IBM introduced with IBM i 7.4 has also been added to 7.3. According to Will, the new GUI interface for DCM was received very positively by customers.

But what we found was as people were introduced to this new interface on 7.4, they said Absolutely this is what we wanted. Now make it available to 7.3 because Im managing multiple systems as well, Will said. You can use the original one if it take you a little time to learn the new one. But what were finding is that its relatively straightforward . . . The ability to see certificates that are close to expirations so that you can act on them its so much easier in this new interface, so youll want to take a look at that.

Heres Whats In the Latest IBM i Technology Refreshes

How IBM i 7.4 Improves Security

Lack Of Ciphers In IBM i 7.1 Raises Concern

See the original post:
IBM i 7.3 Encryption Bolstered With TR8 - IT Jungle