Malware Obfuscation, Encoding and Encryption – Security Boulevard

Introduction

Malware is complex and meant to confuse. Many computer users think malware is just another word for virus when a virus is actually a type of malware. And in addition to viruses, malware includes all sorts of malicious and unwanted code, including spyware, adware, Trojans and worms. Malware has been known to shut down power grids, steal identities and hold government secrets for ransom.

The swift detection and extraction of malware is always called for, but malware isnt going to make it easy. Malware is mischievous and slippery, using tricks like obfuscation, encoding and encryption to evade detection.

Understanding obfuscation is easier than pronouncing it. Malware obfuscation makes data unreadable. Nearly every piece of malware uses it.

The incomprehensible data usually contains important words, called strings. Some strings hold identifiers like the malware programmers name or the URL from which the destructive code is pulled. Most malware has obfuscated strings that hide the instructions that tell the infected machine what to do and when to do it.

Obfuscation conceals the malware data so well that static code analyzers simply pass by. Only when the malware is executed is the true code revealed.

Simple malware obfuscation techniques like exclusive OR (XOR), Base64, ROT13 and codepacking are commonly used. These techniques are easy to implement and even easier to overlook. Obfuscation can be as simple as interposed text or extra padding within a string. Even trained eyes often miss obfuscated code.

The malware mimics everyday use cases until it is executed. Upon execution, the malicious code is revealed, spreading rapidly through the system.

Next-level malware obfuscation is active and evasive. Advanced malware techniques, like environmental awareness, confusing automated tools, timing-based evasion, and obfuscating internal data, allow (Read more...)

Continue reading here:
Malware Obfuscation, Encoding and Encryption - Security Boulevard

Review: SecureDrive BT, the encrypted external SSD you can unlock with Face ID – 9to5Mac

If youre looking for a secure external drive that meets both US military and government security standards, there are a number of encrypted external SSD options around. I reviewed one approach a couple of years ago, the iStorage diskAshur 2, which has a built-in PIN pad for entering a seven- to 15-digit code to unlock the drive.

The SecureDrive BT is a similar idea, but instead of a PIN pad, you unlock it via Bluetooth. Specifically, when you plug the drive into your Mac, you can use Face ID on your iPhone to unlock it

The drive is available in both spinning metal and SSD variants, in capacities ranging from 250 GB to 8 TB. Pricing for SSDs ranges from $262 (250GB) to $3,309 (8TB). I tested the 1TB SSD model at $458.80.

The drive can be used with Mac, Windows, and Linux, and the companion app is available on both iOS and Android.

The drive looks much like any other external drive. It has a blue anodized aluminum body with black plastic endcaps. On the front is a Secure Drive Bluetooth name, and on the back a somewhat unsightly mix of barcode, website, and various standards compliance logos.

One thing to watch for: SecureDrive tells me its available with both USB-A and USB-C cables. The drive I got had a USB-A cable, so needed an adapter to connect it to my MacBook Pro.

SecureDrive BT uses the same AES256-bit XTS hardware encryption as the iStorage drive. Often referred to as military-grade encryption, this is certified by the Institute of Electrical and Electronics Engineers (IEEE) as standard P1619 and is indeed approved for US military use.

The encrypted external SSD is also FIPS 140-3 certified. This is the Federal Information Processing Standards certification, which allows it to be used for the storage of US government Top Secret documents.

Inside, the chips are encased in epoxy resin, meaning its not possible to extract the SSD chips from the rest of the hardware.

The app lets you set a password in the 7- to 15-character range, and you can then choose to toggle on Face ID, Apple Watch unlock, or both. The drive offers remote-wipe capabilities, and can be set to automatically wipe if 10 incorrect passwords are entered.

Incidentally, Apples FileVault also offers the same AES256-bit XTS standard, but defaults to the weaker 128-bit version for performance reasons. Disk Utility does, however, give you the option of formatting with full 256-bit AES.

Running Blackmagic, I saw write speeds of around 310MB/s, and read speeds of around 325MB/s.

These are, of course, low numbers compared to the very fast external SSDs available now, and there are two reasons for that. First, the interface is USB 3.1. Second, the AES256-bit XTS encryption does significantly slow things down, which is the reason Apple defaults to 128-bit with FileVault.

The bottom line here is that youre probably not going to want to use this as a working drive for demanding applications like video editing though it will cope with HD video.

Thats not to say its aslow drive in SSD form, but its still about half to two-thirds the speed of an equivalent unencrypted drive.

Mostly, though, this is a drive youre going to use to store commercially sensitive documents, like product designs, in-progress apps, marketing materials for unannounced products, customer databases, and similar.

Once the SecureDrive BT is unlocked, it works just like any other drive. So the in use section of the review is really about the unlocking experience and here theres good news and bad.

The bad news is that its a little less convenient than a drive with a keypad. To unlock it, you have to open the companion app and tap the drive name. At that point, Face ID will unlock it. But if you keep the app on your homescreen, unlocking is about as fast as using a keypad.

The good news is that youre trading off a slight inconvenience for more security. A keypad limits you to a numeric passcode; with this drive, you can have an alphanumeric password, including all special characters.

Plus, its not obvious that its a secure drive. If someone sees a drive with a keypad used in public, it draws attention to itself. This one, however, looks no different to any other external drive, and using your phone isnt going to be associated with unlocking the drive. So its the more discreet option, as well as the more secure. SecureDrive does make a keypad version, too, if you prefer that.

As I said about the diskAshur 2, whether or not the SecureDrive BT is right for you really depends on whether you have a need for the security:

The real question is whether you need this level of security. For the average consumer, its overkill, but I could definitely see some professional users appreciating it. Carrying around external drives with commercially sensitive materials on them is always a little nerve-wracking. There have been all kinds of reports of drives being left in embarrassing places like bars and trains.

For a startup, the peace of mind could well be worth the relatively small premium youre paying for heavy-duty security. For professional freelancers, it could even be turned into a selling point for clients. So if you need an external SSD and could use the reassurance this one brings, it could be very good value.

If you do need the security, or can use it as a selling tool, then the drive justifies itself. If you dont, you can get faster performance at a significantly lower price in unencrypted form. For example, the equivalent Western Digital My Passport 1TB SSD is about 50% faster and has a list price of $340 against just over $500 for the SecureDrive BT (and the WD drive is available for much less on Amazon). So, if you need this, it will be worth the price; if you dont, it wont.

The Secure Drive BT encrypted external SSD is available from Amazon in both spinning metal and SSD variants, in capacities ranging from 250GB to 8TB. I tested the 1TB SSD model at $458.80. The equivalent spinning metal version costs $238.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

Read this article:
Review: SecureDrive BT, the encrypted external SSD you can unlock with Face ID - 9to5Mac

Encryption Tensions Flare Between U.S. Government and Tech Industry – Morning Brew

The encryption wars are alive and well.

On Monday, Attorney General William Barr asked Apple to unlock two iPhones used by the gunman in last month's shooting at a naval air base in Pensacola, FL. President Trump chimed in last night, tweeting that Apple should step up to the plate and unlock the phones.

Apple said it's given law enforcement "all of the data in our possession," meaning the shooter's iCloud account and transaction data. But it won't unlock the phones...because they're encrypted. Apple has enhanced security protections for iPhones so it can't see customer data, and the company has built its entire privacy marketing pitch around this premise.

The government has requested that tech companies add backdoors into their encrypted services to allow law enforcement to peep on their contents if necessary. In October, the U.S., U.K., and Australia asked Facebook to pause plans to build end-to-end encryption into its products.

Tech companies say they can't build backdoors for good guys only. Microsoft CEO Satya Nadella weighed in on Monday, calling backdoors "a terrible idea," though he thinks there's another solution.

Next steps:We could see a legal showdown between Apple and the government, the NYT reported, a redux of previously unresolved court battles.

View post:
Encryption Tensions Flare Between U.S. Government and Tech Industry - Morning Brew

Fortanix Reports Record Year with Sales Growing 285 Percent, Strategic Partnerships and Global Expansion in 2019 – Business Wire

MOUNTAIN VIEW, Calif.--(BUSINESS WIRE)--Fortanix Inc., the Runtime Encryption company, today announced it had a record year in 2019, which saw sales climb 285 percent over the previous record year. Important new partnerships with Equinix, Google, IBM and Intel set the stage for both innovation and go-to-market success. The company doubled its workforce and expanded geographically in 2019 with new offices in the United Kingdom and the Netherlands to support its growing European customer base and attract engineering talent.

We believe 2020 will mark a turning point for the industry in data protection and privacy, said Ambuj Kumar, CEO, Fortanix. New privacy legislation such as the California Consumer Privacy Act (CCPA), advances in hardware for Runtime Encryption, and cloud service providers partnering with Fortanix will undoubtedly drive accelerated investment and demand for data protection and confidential computing solutions.

Strategic Partnerships

In 2019, Equinix selected the Fortanix Self-Defending Key Management Service (SDKMS), to power Equinix SmartKey HSM-as-a-service. As a result of this collaboration, Equinix SmartKey is available as a global SaaS-based key management and Hardware Security Module (HSM) service hosted on Platform Equinix, Equinixs global interconnection and data center platform. Users gain a solution that is backed by strong SLAs, world-class infrastructure, and connectivity from Equinix.

Fortanix also collaborated with Google Cloud Platform (GCP) to integrate its new Google External Key Manager Service with the Fortanix Self-Defending Key Management Service (SDKMS) to enable businesses to migrate new classes of sensitive data and applications to the public cloud. The announcement of the new functionality at Google Next London featured PayPal demonstrating their use of the technology.

IBM Cloud Data Shield, powered by Fortanixs Runtime Encryption Platform, in 2019 began offering data-in-use protection for applications. With Runtime Encryption, organizations can now run data-centric workloads with security in the cloud and take advantage of the scale that the cloud provides. Common use cases include securing data-centric workloads such as blockchain, databases, AI/machine learning, and analytics.

Fortanix Secures Key Industry Certifications and Consortium Appointments

Last year, Fortanix earned the Federal Information Processing Standard (FIPS) 140-2 Level 3 certification from the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. This achievement enables businesses to replace legacy encryption technologies, including Hardware Security Modules (HSM), with the Fortanix SDKMS encryption platform for protecting the most sensitive data in the U.S. Government, and technology, financial services, and healthcare industries.

Fortanix also became an inaugural member of the newly formed Confidential Computing Consortium, an organization created by the Linux Foundation dedicated to accelerating the adoption of technologies to protect data while in use by applications through Trusted Execution Environments (TEEs). Fortanix was elected to leadership positions as both the Chair of the outreach committee and General Members Representative to the Governing Board.

Key Investors and Executives Join Fortanix To Drive Growth

Supporting this years continued expansion, Fortanix in early 2019 announced $23 million in Series B financing, led by new investor Intel Capital with participation by existing investors Foundation Capital and Neotribe. The funding is being used to expand business operations as the company accelerates new product development and customer rollouts to meet growing global demand, including investments in sales and marketing.

The company also saw a significant increase in hiring last year, and expanded operations into Europe. New key executives hired in 2019 included Chief Product and Strategy Officer Faiyaz Shahpurwala, former VP and GM for IBM Cloud; Chief Revenue Officer David Greene, former CEO of ZeroStack; VP of Marketing Seth Knox, former VP of Marketing at Agari; and VP of Customer Success Sameer Phatarpekar, former VP of Global Customer Success at Usermind.

About Fortanix

Fortanixs mission is to solve cloud security and privacy challenges. Fortanix allows customers to securely operate even the most sensitive applications without having to trust the cloud. Fortanix provides unique deterministic security by encrypting applications and data everywhere at rest, in motion, and in use with its Runtime Encryption technology built upon Intel SGX. Fortanix secures F100 customers worldwide and powers IBM Data Shield and Equinix SmartKey HSM-as-a-service. Fortanix is venture backed and headquartered in Mountain View, Calif. For more information, see https://fortanix.com/.

Fortanix and Runtime Encryption are registered trademarks of Fortanix, Inc. Self-Defending Key Management Service is a trademark of Fortanix, Inc. All other marks and names mentioned herein may be trademarks of their respective companies.

See the rest here:
Fortanix Reports Record Year with Sales Growing 285 Percent, Strategic Partnerships and Global Expansion in 2019 - Business Wire

Apple is privately preparing for legal battle with DOJ over iPhone encryption – iMore

A New York Times report claims that Apple is privately preparing for a legal battle with the Justice department over iPhone encryption.

According to the report:

Apple is privately preparing for a legal fight with the Justice Department to defend encryption on its iPhones while publicly trying to defuse the dispute, as the technology giant navigates an increasingly tricky line between its customers and the Trump administration.

Timothy D. Cook, Apple's chief executive, has marshaled a handful of top advisers, while Attorney General William P. Barr has taken aim at the company and asked it to help penetrate two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Fla.

The report further states that executives at Apple "have been surprised by the case's quick escalation", that's according to people familiar with the company who were not authorized to speak publicly. The New York Times also reports that there is "frustration and skepticism" within Apple:

And there is frustration and skepticism among some on the Apple team working on the issue that the Justice Department hasn't spent enough time trying to get into the iPhones with third-party tools, said one person with knowledge of the matter.

Read the original here:
Apple is privately preparing for legal battle with DOJ over iPhone encryption - iMore

How Secure is RSA in an Increasingly Connected World? – Hashed Out by The SSL Store – Hashed Out by The SSL Store

KeyFactors latest study shows that many IoT device manufacturers aregenerating insecure RSA keys

1 in 172. Thats the number of RSA public key certificatesavailable through the internet that could be vulnerable to compromise due toshared cryptographic key factors.

These findings are according to a recent report on RSA certificate vulnerability from KeyFactor, a leading provider of secure digital identity management solutions and an established authority in the cybersecurity industry. A team of KeyFactor researchers presented their findings at the First IEEE Conference on Trust, Privacy, and Security in Intelligent Systems and Applications in December. The data indicates that due to improper random number generation, many RSA public keys are at risk of compromise because the researchers were able to use them to derive their private keys through a method known as factoring.

Essentially, the research indicates that RSA is stillsecure, but many companies are implementing it in insecure ways. As such, it underscoresthe importance of organizations and manufacturers being crypto agile andadhering to cryptographic best practices to maintain trust and security.

But just how big of a potential impact would compromising RSA keys have? While theres no single reliable resource we can point you to that shows X% of certificates issued use RSA keys, what we can tell you as a company that sells a lot of them is that its a lot. Considering that Gartner forecasts that there will be 25 billion IoT devices in use by 2021, thats potentially a lot of vulnerable RSA certificate keys in the wild that cybercriminals could exploit.

In this article, well break down the data from the study,rehash what RSA is, and explore the implications of what the research means foryour organization.

Lets hash it out.

KeyFactor, a company we work with at The SSL Store, has made a name for itself as an IoT device security leader in the industry since the companys inception in 2001. A force to be reckoned with, theyre dedicated to empowering enterprises of all sizes through their award-winning PKI-as-a-service platform. Theyre also known for their research collaborations with other respected organizations such as The Ponemon Institute.

This particular report on RSA certificate vulnerabilites,written by JD Kilgallin, states that the company collected and analyzed 175million RSA certificate public keys 75 million they discovered on theinternet, plus 100 million that were available through certificate transparency(CT) logs. They used a single Microsoft Azure cloud-hosted virtual machine and agreatest common divisor (GCD) algorithm for shared factors to conduct their analysis.

Heres what they discovered:

The big takeaway here is that some IoT device manufacturersare using random number generators that lack strong entropy. Its more a matterof operator error than an actual weakness in the RSA algorithm itself. As aresult of using random number generators (RNGs) with low entropy, theyregenerating prime numbers with poor randomness, which leads to the generation ofprivate keys that can be compromised more easily.

But what does this mean in terms of information security?

Kilgallin cautions the following:

In 2019, with the large number of devices on the Internet and in other data sets like Certificate Transparency (CT) logs,this attack presents a serious threat if proper precautions are not in place. As the number of keys grows, it is more likely that weakly generated factors in RSA public keys will be discovered. Coupled with the availability of cheap computing resources and sensitivity of communications, the attack is as potent as ever.

At the most basic level, RSA public keys are the result of two large, randomly generated prime factors. Theyre created using random number generators. This means that the entire security premise of the RSA algorithm is based on using prime factorization as a method of one way encryption. So, in other words, its operating under the assumption that no one can determine two randomly-generated prime numbers within a reasonable amount of time that no one can crack the encryption of an SSL/TLS certificate until long after its replaced or expired.

Well, considering that it took a group of researchers more than 1,500 years of computing time (across hundreds of computers) to factor a 232-digit algorithm, that assumption seems plausible. But in reality, RSA is sometimes not as secure as wed like it to be. Its not that RSA itself is insecure its that some companies implement it in a weak way.

Thats because some random number generators arent reallythat random. Furthermore, considering that the same RNGs are frequently usedtime and again, it reduces their effectiveness. If RSA public keys are generatedwith poor randomness, it means they could be vulnerable to a factoringcyberattack.

In this type of attack, cybercriminals collect large sums ofpublic keys from the internet and analyze them to determine whether any twoshare the same factor. If two RSA moduli share one prime factor, it couldresult in a collision when applied to a large dataset. What this does is allowthe actor to crack the corresponding private key.

All of this leads to this concern:

As the number of keys grows, it is more likely that weakly generated factors in RSA public keys will be discovered. Coupled with the availability of cheap computing resources and sensitivity of communications, the attack is as potent as ever.

Yikes. But there is a bit of light at the end of the tunnel.

According to the report concerning the factoring attacks, only 5 of 100million certificates found in a sample from Certificate Transparency logs arecompromised by the same technique. What this means is that only the fivecompromised certificates found in CT logs were publicly-trusted (and no longerin use online) the rest were self-signed, privately-rooted, or devicecertificates. But, still, thats five too many for our taste.

Weve talked about the risks of using self-signed certificates in external-facing applications in the past. Its one thing to use them on intranets and internal-facing applications; its another to use them to secure sites or devices that are discoverable via the internet.

Thediscrepancy between the number of CA-signed certificates that were compromisedand the others, the researchers say, is likely due to IoT devices being moreeasily accessible on the internet and by the design constraints and entropylimitations of power-restricted devices.

In thereport, Kilgallin says:

These concerning findings highlight the need for device manufacturers, website and network administrators, and the public at large to consider security, and especially secure random number generation, as a paramount requirement of any connected system.

Manage Digital Certificates like a Boss

14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.

We keep talkingabout RSA encryption, RSA algorithms, and RSA keys. But what exactly is RSAitself? Lets take a moment for a brief review for those of us who arent asfamiliar with this type of cryptography.

RSA, named after the MIT cryptographers who created it (RonRivest, Adi Shamir, and Leonard Adleman), is one of the two most popular publickey encryption algorithms in use today. In SSL/TLS, it can be used for digitalsignatures and key exchange to establish a secure, encrypted communicationchannel. This way, you dont leave your sensitive data at risk by transmittingit through a non-secure channel.

The RSA algorithm is comprised of four essential components:

But, wait, were talking about the RSA algorithm. Ithought we were supposed to be talking about RSA encryption keys?

We are in a roundabout sort of way. RSA refers to both asignature algorithm (a cryptographic operation) and an encryption key pair. TheRSA algorithm is used to generate an RSA key pair that includes both privateand public keys. The first generates digital signatures, whereas the secondverifies those created signatures.

But when we talk about an encryption key, what do we reallymean?

A cryptographic key, in a nutshell, is a string ofrandomly-ordered bits (binary digits) meaning a gargantuan string of hundredsor even thousands of 1s and 0s. Keys are integral to modern day public keyinfrastructure (PKI) and encryption as a whole. Keys in cryptography are like therice to your sushi or the cream filling for your Oreo cookies theyreessential components.

In the olden days (you know, before modern technology), akey was the secret roadmap, if you will, of an encryption technique. Its whatthe sender would use to encrypt the message, and the recipient would use todecrypt the message. Its much the same today, but instead of using hand-writtenkeys that are written in invisible ink or hidden away, theyre digital bits ofinformation that are transmitted electronically.

A key can be either asymmetric or symmetric. RSA keys are asymmetric. Every asymmetric key comes in a pair of mathematically-related but different public and private keys, and each key serves as different purpose to encrypt (public key) and to decrypt (private key) data, as well as to create a shared key.

If a certificates RSA public key that was generated withweak entropy is targeted through a factoring attack, then its shared primenumbers could be used to derive the certificates private key, making RSAessentially useless.

But, thankfully, RSA isnt the only hitter in the game. Theresanother type of key that we havent mentioned yet ECC.

ECC, or elliptic curve cryptography, is an approach to cryptography that offers greater security and performance than RSA. Thats because it doesnt rely on random number generation. Instead of RNG, ECC takes advantage of the math behind elliptic curves. If you dont know what Im talking about, think back to your school days and the joys of plotting using coordinates on the Y- and X- axes (yeah, thats still a thing of nightmares for me, too).

I wont get into the actual calculations of elliptic curveshere you can read more about that in one of our other blogposts on ECC. But the point here is that its a public key cryptosystemthat relies on mathematical calculations based on specific points on anelliptic curve rather than a random number generator that could fail.

Another benefit of ECC over RSA is that ECC scales well. Thatsbecause its keys are smaller, which results in less computational overhead andbetter performance.

See what I mean?

A third advantage ECC has over RSA is that theres a variation of it supersingular elliptic curve isogeny cryptography thats also less vulnerable to concerns that stem from quantum computing. The National Institute of Standards and Technology (NIST) predicts that the public key cryptography we know and use today will fail once quantum computing becomes mainstream.

But the impact of quantum computing on existing cryptosystems is a whole nother conversation in and of itself. And dont worry, the sky isnt falling CAs are ahead of the curve in developing new cryptographic methods that will be quantum secure.

The drawback of ECC is that it isnt frequently used becauseits not as widely supported as RSA. While its supported by most modernoperating systems and web browsers including Chrome, Safari, Firefox, and IE ECC isnt yet supported by a lot of the web hosting control panels (such as cPanel)as of yet. Unfortunately, this means that many website owners cant yet use ECCeven if they want to.

Overall, the KeyFactor research showcases how weak some RSAkeys are that are currently in use across the internet. It also drives home thepoint that organizations and device manufacturers in particular need to do moreto protect the consumers who trust them to protect their sensitive orconfidential information and privacy.

What this means for device manufacturers is that they needto:

KeyFactor researchers define crypto agility as knowingeverywhere cryptography is used across your organization (i.e. certificates,algorithms, protocols, and libraries), and being able to quickly identify andremediate vulnerabilities, without disruption.

To be crypto agile, you need to stay abreast of compromisesand breaches in security and also try to stay one step ahead of cybercriminals.You also need to be responsive to changes. In IoT device security, that meansyou need to be able to maintain trust by keeping your devices secure throughouttheir lifecycles.

In PKI, it in part boils down to using automated certificate management solutions. A reliable certificate management solution provides visibility into your network and helps you to easily track, monitor, and renew your certificates to avoid certificate outages. Throw away the spreadsheets and get rid of your manual tracking processes automation is the name of the game.

So, let us take a moment to summarize everything wevereally touched on in this article. KeyFactor research shows that:

Read more here:
How Secure is RSA in an Increasingly Connected World? - Hashed Out by The SSL Store - Hashed Out by The SSL Store

Apple disagrees with the US government. UU. While the encryption battle restarts – NewsDio

Apple and the US government disagree for the second time in four years by unlocking iPhones connected to a mass shooting, reviving the debate about police access to encrypted devices.

Attorney General Bill Barr said on Monday that Apple did not provide "substantive assistance" by unlocking two iPhones in the shooting investigation of three US sailors in December at a Florida naval station, which he called an "act of terrorism. "

Apple disputed Barr's claim, while arguing against the idea of "back doors" for the police to access their encrypted smartphones.

"We reject the characterization that Apple has not provided substantive assistance in Pensacola's investigation," the company said in a statement.

"Our responses to your many requests since the attack have been timely, thorough and ongoing."

On Tuesday night, President Donald Trump intervened on Twitter and said the government was helping Apple in business matters "but they refuse to unlock phones used by murderers, drug dealers and other violent criminal elements."

"They will have to step forward and help our great country, NOW!" he added.

The confrontation highlighted the debate between the police and the technology sector on encryption, a key way to protect the privacy of digital communications, but that can also hinder investigations, even with a court order.

The last battle is similar to the dispute between Apple and the US Department of Justice. UU. After the mass shooting of December 2015 in San Bernardino, California, when the iPhone manufacturer rejected a request to develop software to enter the shooter's iPhone.

That fight ended in 2016 when the government paid a $ 1 million report to an outside party for a tool that eluded Apple's iPhone encryption.

Last year, Barr asked Facebook to allow authorities to bypass encryption to combat extremism, child pornography and other crimes. The social network has said it would move forward with strong encryption for its messaging applications.

Digital rights activists argue that any privileged access to law enforcement would weaken security and make it easier for hackers and authoritarian governments to intercept messages.

"We have always maintained that there is no backdoor just for the good guys," Apple's statement said.

"The back doors can also be exploited by those who threaten our national security and the security of our customers' data."

Apple and others argue that digital "bread crumbs" make it easier and easier to track people, even without entering personal devices.

The governments latest lawsuit "is dangerous and unconstitutional, and would weaken the security of millions of iPhones," Jennifer Granick of the American Civil Liberties Union said in a statement.

"Strong encryption allows religious minorities facing genocide, such as Uyghurs in China, and journalists investigating powerful drug cartels in Mexico to communicate safely."

Granick added that Apple cannot allow the FBI to access encrypted communications "without also providing it to authoritarian foreign governments and weakening our defenses against criminals and hackers."

Kurt Opsahl, of the Electronic Frontier Foundation, echoed that sentiment and said Apple "is right to provide solid security" for its devices.

"The AG (attorney general) asks Apple to redesign its phones to break that security is poor security compensation and endangers millions of innocent people around the world," Opsahl tweeted.

James Lewis of the Center for Strategic and International Studies, a group of Washington experts, said he believes it is possible to allow police access without sacrificing encryption.

"You are not weakening encryption, you are doing it so that it is not from end to end," Lewis told AFP.

"It means that there is a third party who can see it under the proper authority."

But Lewis said he does not expect either party to win the battle, and that US officials will likely find another outside party to decipher the two iPhones that belong to the shooter, the 2nd lieutenant of the Royal Saudi Air Force Mohammed Saeed Alshamran, who died in the attack

"It's a repeat of the movie we saw in San Bernardino," he said.

"It's going to be more difficult because Apple probably solved the trick that worked in San Bernardino."

. (tagsToTranslate) Apple disagrees with us the government as battle of reactive encryption grindr (t) okcupid (t) tinder

Continue reading here:
Apple disagrees with the US government. UU. While the encryption battle restarts - NewsDio

Police Scotland to roll out encryption bypass technology – Glasgow Live

Technology that allows police officers to gather data from digital devices without the need for a password is to be rolled out from next week.

Police Scotland confirmed on Tuesday that the so-called cyber kiosks - digital triage devices - will be given to officers on January 20.

The kiosks are laptop-sized machines that enable the user to override encryption on devices such as mobile phones and tablets.

Technology was due to be deployed earlier but the roll-out was hit by delays as MSPs called for greater clarity over the legal framework for their use.

A total of 14 kiosks have already been bought by Police Scotland and will be located across all policing divisions.

It is expected all of the kiosks will be operational before May 1.

Police Scotland believe having the kiosks will allow lines of inquiry to be progressed at a faster pace, with officers being able to return mobile devices to their owners when they are having to assess them for potential evidence.

Officers will only examine the device of an individual when there is a legal basis and it is "necessary, justified and proportionate" to the crime under investigation.

They will not be enabled to store data from any devices and when an examination is complete all data will be securely deleted.

Deputy Chief Constable Malcolm Graham said having the ability to quickly assess which devices either do or do not contain evidence on them will minimise the intrusion into people's lives.

"We are committed to providing the best possible service to victims and witnesses of crime," he said.

"This means we must keep pace with society. People of all ages now lead a significant part of their lives online and this is reflected in how we investigate crime and the evidence we present to courts.

"Many online offences disproportionately affect the most vulnerable people in our society, such as children at risk of sexual abuse, and our priority is to protect those people."

He added: "Increases in the involvement of digital devices in investigations and the ever-expanding capabilities of these devices mean that demand on digital forensic examinations is higher than ever.

"Current limitations, however, mean the devices of victims, witnesses and suspects can be taken for months at a time, even if it later transpires that there is no worthwhile evidence on them.

"By quickly identifying devices which do and do not contain evidence, we can minimise the intrusion on people's lives and provide a better service to the public."

Have you downloaded the new and improved Glasgow Live app? Get all the latest news and events at the touch of a button on Android and Apple .

Read the original here:
Police Scotland to roll out encryption bypass technology - Glasgow Live

Attorney General Barr Asks Apple to Break Encryption – The Mac Observer

Attorney General William Barr has asked Apple to unlock the iPhone used by the shooter in Pensacola, Florida (via NYT).

Although no one has called for Apple to explicitly create a backdoor into iOSs encryption (yet), that is what theyre implying. Apple is unable to unlock the iPhones without knowing the passcode. The company did share data in iCloud backups with the FBI though.

Apple is able to do this because the decryption keys to iCloud backups are stored on its servers, in the event a customer loses their passcode. But it also enables them to share the data with third parties. Its not true end-to-end encryption.

The San Bernardino dispute was resolved when the F.B.I. found a private company to bypass the iPhones encryption. Tensions between the two sides, however, remained; and Apple worked to ensure that neither the government nor private contractors could open its phones.

Officials specifically want access to the shooter conversations in WhatsApp and Signal to figure out whether he planned it with others in the naval base or worked alone.

[FBI Paid $900K for San Bernardino iPhone Hack]

[EU Wants to Standardize Smartphone Charging Ports]

View original post here:
Attorney General Barr Asks Apple to Break Encryption - The Mac Observer

The year of encryption is upon us – Security Boulevard

1969 will forever be known as the year humans walked on the moon. Gary Ross Dahl rocked the world again in 1975 with the introduction of the Pet Rock. And MTV celebrated the moon landing and popular culture and changed the music world when it launched in 1981.

The world remembers 1989 as the year the Berlin Wall fell, opening the door to a unified Germany. Its hard to forget 2008, the year the financial crisis hit. And 2015 was the year of the millennial, when this group surpassed baby boomers as the biggest U.S. generation.

Each year has its defining moments and trends. And 2020 will be the Year of Encryption.

Heres why: Encryption is a key technology in protecting sensitive information such as social security numbers, government IDs and financial data. It is also an important part of personal data privacy a key consumer and compliance concern. Given the importance of encryption it is also a subject of debate at the U.S. state and federal level and elsewhere in the world.

The nations most populous state kicked off 2020 with the 2020 California Consumer Privacy Act (CCPA). As of Jan. 1, 2020, California residents have greater control over their personal data.

Under the CCPA, organizations are required to disclose what data they have about California residents who request that information. Companies must delete the information of California residents who ask them to do so. And Californians can forbid organizations from sharing their data with other entities.

Residents of the Golden State also now have the right to bring action for statutory damages if their information is subject to a data breach. But, notably, they can do so only in cases in which their personal information is nonencrypted and nonredacted.

That is likely to prompt more organizations to employ encryption technology. So is the fact that the CCPA will make consumers more informed about personal data privacy.

Lawmakers in the U.S. and elsewhere are also fueling discussion and new action around encryption. In Washington, D.C., theres a new push to require the tech community to create encryption backdoors allowing government entities access to the information. Senators are pushing tech companies to give law enforcement personnel access to encrypted data for investigations into criminal and terrorist organization. The challenge with any backdoor is that there is the possibility a nefarious organization can also discover and utilize the backdoor for access to sensitive information undermining the purpose of encryption.

Meanwhile, government leaders from Australia, the U.K. and U.S. are urging Facebook to abandon encryption plans. They sent Mark Zuckerberg an open letter in October voicing their concerns and making this request.

Then theres the General Data Protection Regulation (GDPR). GDPR has been around for several months now. But many organizations are still implementing and fine-turning their compliance strategies around this relatively new requirement. And some strategies leverage encryption.

Also, the significant GDPR fines regulators are levying for non-compliance continue to generate headlines and calls for better solutions. The fact that Brexit appears to be moving forward is also creating new conversations around GDPR. Businesses are wondering how the U.K.s withdrawal from the European Union will impact GDPR requirements in the UK and how to respond.

Four years have passed since the Cambridge Analytica-Facebook scandal and other election meddling activities came to light. Yet concerns remain about how the country can ensure fair elections in 2020 and beyond.

Following the 2016 election, WIRED magazine ran a story with this headline: For the Next Election, Dont Recount the Vote. Encrypt It. And, a couple of months ago, the Massachusetts Institute of Technology debuted a cryptographic voting system. Whether and when government leaders decide to employ encryption remains to be seen. (If they plan to use it for the elections, they better move fast, as primaries begin next month.)

In any case, one thing seems certain: encryption in 2020 will be more readily understood, discussed and debated than ever before. And thats a good thing.

Welcome to the Year of Encryption.

Please visit nCiphers website to learn more about the company. You can also follow us on Twitter, LinkedIn, and Facebook, and find me on Twitter @pgalvin63

Read the original:
The year of encryption is upon us - Security Boulevard