TLS or Transport Layer Security is an encryption protocol. It is designed such that communication through TLS remains secure and private. In this post, I will explain what TLS handshake is and how to fix the TLS handshake if you face issues.

Before we go ahead and talk about the TLS handshake, lets understand when TLS occurs. Every time you access a website or application over HTTPS, TLS is used. When you access emails, messages, and even VOIP, it uses TLS. You should know that HTTPS is an implementation of TLS encryption.

A handshake is a form of negotiation between two ends. Just like when we meet people, we shake hands, and then go ahead with anything else. On similar lines, the TLS handshake is a form of acknowledgment between two servers.

During the TLS handshake, the servers verify each other and establish encryption, and also exchange keys. If everything is authentic, and as expected, more data exchange will take place. There are four major steps:

In laymans word, they first say hello, then the server offers a certificate that the client needs to verify. Once the verification is complete, a session is generated. A key is created through which data is exchanged through the session.

You cannot do anything if there is a server-side issue but you are having a problem with the browser, it can be fixed. For example, if the server offers a certificate that cannot be authenticated, then you cannot do anything about it. However, if the problem is a mismatch of the TLS protocol, then you can change it from the browser.

There are many more reasons why the TLS handshake can fail, and it depends on the scenario. So here some ways to fix TLS, but before that, always use these rules to filter out the problem.

It is the top reason why the TLS handshake has failed most of the time. The system time is used to test whether the certificate valid or expired. If there is a mismatch between the time on your computer and the server, it can make certificates look expired. Fix the time by setting it to automatic.

Now visit the website again, and check if has fixed the TLS handshake

There is one rule if its happening for one site, then its security software problem, but if its happening for all the websites, then its a system problem.

The security software or browser extension on your computer may be intercepting the TLS connections and changing something which results in problematic TSL handshake. It is also possible that a virus on the system is causing all the TLS problem.

Some browser extensions change proxy settings, and it may cause this problem.

In either case, you need to fix your computer or security software. The best way to further verify this is by using another computer and open the same website or application, which was causing the problem.

Windows 10 and earlier versions of Windows centralize the protocol settings in the system. If you need to change the TLS version, you can do it using Internet Properties.

While Chrome, IE, and Edge use Windows features, Firefox, like its certificate database, manages on its own. Here is how to change the TLS protocol in Firefox:

Every browser maintains a database for certificates. For example, every Firefox profile has a cert8.db file. If you delete that file, and a restart fixes it, then the issue is related to the local certificate database.

Similarly, in Windows, when using IE or Edge, the Certificate Manager is responsible, or you can go to the edge://settings/privacy and click onManage HTTPS/SSL certificates and settings. Delete certificates and try again

If you cannot find the database, delete the profile, and try again.

Its the last resort if you are having the issue with one of the browsers. You can choose to uninstall completely and then reinstall or reset the browser using the inbuilt feature. Follow the links to reset Chrome, Microsoft Edge, and Firefox.

Lastly, while you can browse a website even if the certificate is invalid, make sure not to perform any kind of a transaction with the website. Neither you should use a credit card, nor you should enter your account password.

We hope these tips were easy to follow, and you were able to resolve the TLS issue on your browser or your computer. I have tried my best to offer you enough solution, but honestly, TLS is extremely vast, and more solutions may be available.

Go here to see the original:
What is TLS handshake? How to fix TLS handshake? - TWCN Tech News

Image: jules_88 on Pixabay

Security experts don't recommend that users reboot their computers after suffering a ransomware infection, as this could help the malware in certain circumstances.

Instead, experts recommend that victims hibernate the computer, disconnect it from their network, and reach out to a professional IT support firm. Powering down the computer is also an alternative, but hibernating it is better because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leaves copies of their encryption keys [1, 2].

Experts are recommending against PC reboots because a recent survey of 1,180 US adults who fell victim to ransomware in the past years has shown that almost 30% of victims chose to reboot their computers as a way to deal with the infection.

But while rebooting in safe mode is a good way of removing older screenlocker types of ransomware, it is not recommended when dealing with modern ransomware versions that encrypt files.

"Generally, the [ransomware] executable that actually encrypts your data is designed to crawl through attached, mapped and mounted drives to a given machine. Sometimes it trips, or is blocked by a permission issue and will stop encrypting," Bill Siegel, CEO & Co-Founder of Coveware, a company that provides ransomware data recovery services told ZDNet in an email this week.

"If you reboot the machine, it will start back up and try to finish the job," Siegel said.

"A partially encrypted machine is only partially encrypted due to some fortunate error or issue, so victims should take advantage and NOT let the malware finish its job...don't reboot!"

Siegel told ZDNet the advice applies to both enterprise and home users alike.

Further, ransomware victims should also take note that there are two stages of a ransomware recovery process they have to go through.

The first is finding the ransomware's artifacts -- such as processes and boot persistence mechanisms -- and removing them from an infected host.

Second is restoring the data if a backup mechanism is available.

Siegel warns that when companies miss or skip on the first step, rebooting the computer often restarts the ransomware's process and ends up encrypting the recently-restored files, meaning victims will have to restart the data recovery process from scratch.

In the case of enterprises, this increases downtime and costs the company operating profits.

To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware's first response guide on dealing with a ransomware attack.

Article updated shortly after publication to recommend hibernating computer instead of powering down.

Originally posted here:
Experts: Don't reboot your computer after you've been infected with ransomware - ZDNet

There's a saying that the biggest security vulnerability is located between the keyboard and the chair, highlighting human fallibility. It's true, we're easily tricked, and we're lazy as a rule. Human failings also bring down perfect systems of security and privacy, which is why clear, moral codes are required to protect those systems. When Apple agreed to remove the Hkmap.live app from the App Store under pressure from the Chinese government in Beijing, it illustrated just how tenuous even the most robust security and privacy systems can be.

What is security and privacy without morality? It's just a selling point.

For those who missed the story, pro-democracy protestors in Hong Kong have been using an app called HKmap.live to warn other protestors about police moving through the city. Apple first approved the app, and then banned it, claiming that it was being used to perpetrate crimes. Given the increasing violence amidst an intense government crackdown, it's easy to assume that protestors have an even more existential concern regarding the app's availability.

This reminded me how, not long ago, Apple squared off against the full force of the FBI and DOJ as the US government pushed for the company to grant it access to an iPhone belonging to the San Bernardino shooters. In that case, Apple refused. While the company had cooperated with law enforcement in the past, the request to essentially build a special backdoor into its operating system so the law enforcement could examine a device was more than Apple could bear.

Apple, along with a host of other companies, didn't budge on the issue. They even got support from former NSA types. In the end, Apple won out and the FBI ended up paying a third-party company a rumored one million dollars for a way into the phone.

It wasn't Apple's security practices, encryption systems, or engineering prowess that stood between investigators and the data within an iPhone. It was Apple's laudable willingness to stand by its stated beliefs and refuse to cooperate. The company could easily have stepped aside, but by choosing not to, it protected its devices and its users.

How could Beijing pressure Apple so effectively? NPR reports that last year, Apple sold $52 billion of products in China that last year. Maybe that has something to do with it.

Along with the code and the engineering that goes into protecting iOS, the App Store is the other mechanism Apple has for ensuring the safety and security of its users. Apple is able to extend security and privacy protections through its hardware and OS, but it's by managing its app store that it has the biggest impact on users. If any app attempts to circumvent Apple's privacy protections, it can be removed. Conversely, Apple can also choose to keep apps available despite controversy. The App Store supports many encrypted messaging apps, whose data cannot be read by law enforcement or even Apple itself.

Unfortunately, the company has a more mixed record on this front.

Apple has used its ban hammer to protect its walled garden from apps that slurped your personal information, unfairly tricked users, or were outright malicious. These actions have kept users safe, and encouraged good behavior among developers.

The company has also made controversial decisions about which apps to ban. It has kicked out apps that too closely replicate functions of the iPhone, that track drone strikes, or that grant access to so-called "adult content." This last one has always struck me as particularly odd, considering that the best app for porn on an iPhone is Safari.

Now imagine that it wasn't a crowd-sourced map that Apple banned at the behest of a government, but Signal or any other encrypted messenger apps, or the Tor app, or VPNs. (Actually, Apple has banned some of those apps in China before.) Those tools can also be used for bad thingsin fact, that's always law enforcement's argument against such appsbut they also protect individuals from harm, and afford them the privacy they desire.

I won't call Apple's decision to remove the HKmap.live the company's first, or even its greatest, moral failing. There have been others before this, and there will likely be more to come. It's also not the only company to have similarly failed. Google was criticized for removing a game where you played as a Hong Kong protestor, and various social media platforms are embroiled in roiling controversy over how they present information to users, and for what lengths they are willing to go to appease the Chinese government in exchange for access to its markets. Perhaps we shouldn't be looking to any for-profit corporations to fight our moral battles for usbut I digress.

What this sad drama does highlight is the tenuousness of privacy and security. A company can earn a sterling record of protecting its users and fostering exactly the kind of environment that makes people safer and allows them the freedom to speak their minds without fear of reprisal. Our connected devices, we're told by companies, aren't just products; they're supposed to make the world better. But even when a company, or an individual, uses all the right code and follows all the best practices, none of that matters if there aren't unwavering morals to back that up. It's deciding what is right and using the code to enforce those decisions that makes it all work.

I argued that the feds should let math be math. That's true as far as mechanics go, but it also a firm moral stance. Without the courage of your convictions, math is meaningless.

Excerpt from:
Apple Caving on Hong Kong Shows the Limits of Security as a Sales Tool - PCMag

On November 5, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that a New York Medical Center (Medical Center) will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying a civil penalty of $3 million and entering into a Corrective Action Plan. The Medical Center is a HIPAA covered entity that includes hospital and academic medicine components.

According to OCR, the Medical Center had experienced several issues with lost or stolen unencrypted devices. OCR investigated the Medical Center in 2010 in a matter relating to an unencrypted flash drive and had provided technical assistance to the Medical Center. In the course of receiving that technical assistance, the Medical Center identified a lack of encryption as a high risk to its electronic protected health information (ePHI). Despite identifying this risk, the Medical Center continued to allow the use of unencrypted mobile devices. In 2013, the Medical Center notified OCR of the breach of unsecured ePHI, specifically the loss of an unencrypted flash drive. In 2017, the Medical Center notified OCR that an unencrypted personal laptop that contained Medical Center ePHI had been stolen, which resulted in the Medical Center impermissibly disclosing the ePHI of 43 patients.

OCR did not consider the risk analysis conducted by the Medical Center to be an accurate and thorough analysis of all potential risks and vulnerabilities to the confidentiality, integrity and availability of all of the ePHI the Medical Center was responsible for safeguarding. Further, OCR determined that the security measures implemented by the Medical Center to reduce risks and vulnerabilities to a reasonable and appropriate level were insufficient. OCR further found that the policies and procedures governing hardware and electronic media, including receipt and removal and movement of such hardware and electronic media in, out and within the Medical Center were also insufficient. Finally, OCR determined that the Medical Center did not implement mechanisms that were sufficient to either (1) encrypt and decrypt ePHI, or (2) document why encryption was not reasonable and appropriate while implementing an equivalent alternative measure to safeguard ePHI.

The Corrective Action Plan requirements include conducting a risk analysis, developing and implementing a risk management plan and updating policies and procedures and training materials.

Practical Takeaways

As a result of this enforcement action, covered entities and business associates should take note of the following:

More:
Failure to Encrypt Hardware Results in $3 Million Fine - Lexology

LISBON (Reuters) - Facebook will outline on Wednesday plans to expand encryption across its Messenger platform, despite warnings from regulators and government officials that the enhanced security will help protect pedophiles and other criminals.

FILE PHOTO: Stickers bearing the Facebook logo are pictured at Facebook Inc's F8 developers conference in San Jose, California, U.S., April 30, 2019. REUTERS/Stephen Lam

Executives told Reuters they will also detail safety measures, including stepped-up advisories for recipients of unwanted content.

The moves follow complaints by top law enforcement officials in the United States, United Kingdom and Australia that Facebooks plan to encrypt messaging on all its platforms would put child sex predators and pornographers beyond detection.

The changes, supported by civil rights groups and many technology experts, will be more fully described by company executives at a Lisbon tech conference later in the day.

Facebook messaging privacy chief Jay Sullivan and other executives said the company would press ahead with the changes while more carefully scrutinizing the data that it collects.

Sullivan plans to call attention to a little-publicized option for end-to-end encryption that already exists on Messenger. The firm hopes increased usage will give the company more data to craft additional safety measures before it makes private chats the default setting.

This is a good test bed for us, Sullivan said. Its part of the overarching direction.

The company will also post more on its pages for users about how the Secret Conversations function works. The feature has been available since 2016 but is not easy to find and takes extra clicks to activate.

The company is also considering banning new Messenger accounts not linked to regular Facebook profiles. The vast majority of Messenger accounts are associated with Facebook profiles but a greater proportion of stand-alone accounts are used for crime and unwelcome communications, executives said.

Were considering a registration process where prospective Messenger users will only be able to sign up for Messenger by creating or logging into a Facebook account, a Facebook spokesperson said.

Requiring a link to Facebook would reduce the privacy protections of those Messenger users but give the company more information it could use to warn or block troublesome accounts or report suspected crimes to police.

The enhanced safety measures the company plans include sending reminders to users to report unwanted contacts and inviting recipients of unwanted content to send plain-text versions of the chats to Facebook to ban senders or potentially report them to police.

Facebook might also send more prompts to users reached by people with no shared friends or who have had many messages or friend requests rejected.

Facebook had previously said it wanted to ease user reporting of misconduct as it gradually moves toward more encryption, but it has given few details.

Reporting by Joseph Menn; Editing by Greg Mitchell and Jon Boyle

Read more:
Facebook to expand encryption drive despite warnings over crime - Reuters

There is an unprecedented demand for enterprises to optimise resources, become more agile and digitally transform at pace. They have to do it safely too, maintaining strong security policies that ensure frictionless business operations.

As technology continues to evolve, so too does the threat landscape. Security defences and risk mitigation strategies need constant attention.

Malware is a notable example why and one of the biggest threats facing todays businesses.

The problem may have been around for a while but its constantly mutating forms and attack vectors are more nuanced than ever. There is a new level of pressure on business security defences.

Typical methods to safeguard against malware include sandboxing, data loss prevention (DLP), Intrusion Prevention Systems (IDS) and web gateways.

That isnt always enough, however, particularly with the increasing influence of Secure Sockets Layer (SSL) reducing visibility of traffic flowing between the web server and browser.

SSL is an industry standard that protects online transactions between organisations and their customers. All data passing between browser and web server stays private and integral.

One of the main reasons malware is such a concern is its ability to hide within this encrypted traffic and go undetected. Businesses often only have visibility over the unencrypted traffic, which can range from 25 - 50per cent of the total amount. Unfortunately, decrypting and re-encrypting traffic between each prevention system would take too long, not to mention cause latency issues and a decrease in performance.

A vivid example of modern malwares disruptive abilities is the Man-in-the-Browser attack, whereby it shims itself between a browser and the encrypted SSL layer.

Imagine if an employee is logging in from their SSL VPN at home, likely using a domain username and password to access the company server. All this captured by malware. The information would then be sent to C&C (Command & Control) servers where the details are compromised. An outsider now holds the keys to the kingdom and can gain access to the enterprise system. A perfect opportunity to drop in some more malware and exfiltrate sensitive company data.

While big problems inevitably arise from malware hiding in SSL traffic, there are ways to stay safe without compromising operation agility.

F5 technology can solve provisioning and performance challenges via orchestration that automates workflows and the process of encrypting and decrypting SSL-encrypted traffic. Meanwhile, F5s Forward Proxy SSL feature gives the Application Delivery Controller (BIG-IP) an ability to optimise SSL-secured communications that are directly authenticated by the user. The result is greater control in securing the traffic, while also allowing for improved latency and faster performance. As the administrator, F5 can define different security service chains for the traffic being sent from the web server to the browser. In other words, businesses get their visibility back.

For more information, visitf5.com/security

Keiron Shepherd is principal systems engineer with F5 Networks

See original here:
Malware and the encryption conundrum - Irish Times

Heres what you need to know about the debate overend-to-end encryption

Its that time of the year when we grab ourpopcorn and witness another chapter in the age-old battle between governmentsand tech companies. Once again, governments are attacking tech companies forgiving criminals a safe place for their communication, while thecompanies say they are protecting privacy.

After Apple and WhatsApp, Facebook is the latest platform to make the headlines in the ongoing encryption debate end-to-end encryption to be precise. In an open letter addressed to Mark Zuckerberg, co-founder & CEO of Facebook, the governments of the U.S., U.K. and Australia have asked the social networking giant not to proceed with its plans to implement end-to-end encryption across Facebooks messaging services. And not only that, theyve also reaffirmed their request for a backdoor in the encryption of messaging services.

But before you form any opinions on this situation, its essential to know what end-to-end encryption is and what it does.

Lets hash it out.

Well get to end-to-end encryption in abit but before that, lets first understand what encryption is and what itdoes.

Consciously or unconsciously, we all sendand receive a lot of information when we use the internet through our devices.And some of this information is confidential (passwords, financial information,personal photographs, etc.) and could cause a lot of damage if someone stealsor tampers with it. So, how do we make sure that no one does that? Well, thisis where encryption comes in.

Encryption is the technique that turns ourdata into an undecipherable format so that no third party can read or alter it.Its what keeps us safe in the ocean of the internet.

Heres an example of a phrase of textthats been encrypted:

As you can see, theres no way to figureout what the encrypted text means unless, of course, you have the private keyto decrypt it.

Facebook Messenger already uses encryption just not end-to-end encryption. Normal encryption (a.k.a. link encryption)works like this:

Note that in this scenario, Facebookcontrols the encryption/decryption, and Facebook has access to the decryptedmessage.

Now, lets get to end-to-end encryption. Its precisely what it sounds like end-to-end encryption facilitates the type of encrypted communication that only the sender and receiver can read/see. No one in the middle including Facebook, the government, or another messaging service provider can read/decrypt messages being sent from one device to another.

In other words, the messages you send aredecrypted at the endpoint of the communication the device youre sendingmessages to. The server youre sending the data through (i.e. Facebook) wontbe able to decrypt or view your messages.

The distinction between the two is that while normal or link encryption encrypts the data, the server transmitting information between two devices has the ability to decrypt the encrypted data. End-to-end encryption, on the other hand, uses the server to transmit the data (how else would the data transfer take place?), but it doesnt allow the server to decrypt the data. Therefore, the server is just a medium that facilitates data transfer of encrypted information. Hence, WhatsApp or any other end-to-end encrypted app wont be able to read your information (even if they want to).

Security professionals and privacy experts largelysupport the idea of end-to-end encryption because it better protects your datafrom hackers and other parties who may want spy on you. When you allow the datatransmitter (the messaging service provider in this case) to decrypt yourmessages, youre leaving a significant potential security hole that could causeproblems if the server is compromised, hacked, or surveilled.

If the information is protected end to end,though, theres no point in intercepting information halfway down the line asits in an encrypted format. Thus, it protects the privacy of millions ofpeople and assures them that no one not even the messaging service itself could read their private information. For this reason, experts (includingorganizations such as the Electronic Frontier Foundation (EFF), the Center forDemocracy & Technology, and others) are advocating for the use ofend-to-end encryption in messaging apps.

The main argument against end-to-endencryption (and in favor of link encryption) is that end-to-end encryption createsa safe space for criminals to communicate where theres no thirdparty who can read and perform security checks on their messages. In otherwords, the technology thats supposed to protect the privacy of millions ofpeople and businesses protects the confidentiality of criminals as well.

Im not saying that Im in favor of thisargument, but it undeniably does hold some water. If the server was able to decryptthe data, we can have a system that would help in catching the bad guys. In thecase of end-to-end encryption, this option is gone. I dont know what othermotives they may have, but this is the argument that the governments of the U.S.,U.K., and Australia are using to do away with end-to-end encryption.

While the argument made by variousgovernments might make sense to a certain extent, theres always a questionmark regarding their full intentions. Do they care about the crimes that may behidden because of end-to-end encryption, or are they crying foul in order toserve a bigger agenda: having the power to easily spy on people?

So far, seeing the evidence thatsavailable to us, both seem likely to be true.

And its worth noting here that EdwardSnowden, the famous National Security Agency whistle-blower, previouslyrevealed that the intelligence services in the U.K. and U.S. had beenintercepting communications through various channels for many years on a massscale. So, where do you draw the line as far as governments interference isconcerned? Encryption can be used for good and for bad, but so cansurveillance!

If youve been following this entire encryption saga, you must have stumbled across the term backdoor.

Basically, a backdoor is a mathematical feature of the encryption key exchange that could decrypt the end-to-end encryption, and no one knows about this except the ones who made it (the messaging service). In popular words, its like a secret key. So when, lets say, a judge orders a warrant to hand over certain information in a decrypted format to the government, the messaging app (or the government agency) could use this backdoor to give your decrypted information to the government.

But, again, this comes with a danger a massive one. What if this powerful tool falls into the wrong hands? If a cybercriminal somehow gets hold of this secret key, they could have access to all of your private pictures, messages, etc. and do who knows what with them! And thats why creating a backdoor could be even more dangerous than concerns about standard encryption.

Dont Get Breached

91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.

Implementing end-to-end encryption wouldmean that even Facebook itself wont have access to the information beingshared through its messaging service. This seems quite contrary to the businessmodel that Facebook has built around data monetization.

So, why doesnt Facebook want the data? Doesit really care about privacy, or is there something else hiding behind thecurtain?

One possible reason why Facebook plans to implement end-to-end encryption is to simply move away from the pressure of law enforcement, court orders, warrants, and controversies. Currently, Facebook uses artificial intelligence (AI) and a team of human moderators to monitor the content and messages sent via its platform. They then report suspicious communication/content to authorities. This content moderation system is the source of a lot of expense, negative news coverage and even lawsuits for Facebook.

With end-to-end encryption in place, this couldall go away because Facebook wont be able to decipher the communication. Theycan simply say sorry, we cant access the content even if we want to. Thatcould save Facebook a lot of time, money, and hassle.

Considering that Facebook has already implemented end-to-end encryption in WhatsApp, the most extensively used messaging service that it owns, it seems likely that end-to-end encryption will be implemented in Facebooks other services as well. The question is what happens next? I expect the governments championing the call to eliminate end-to-end encryption to shift gears and attack the tech companies with more ferocity. Further down the road, this never-ending battle could spark into a fire, and ordinary users could be its witnesses or become engulfed in it.

As always, leave any comments or questions below

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/end-to-end-encryption-the-good-the-bad-and-the-politics/

See the original post:
End-to-End Encryption: The Good, the Bad and the Politics - Security Boulevard

Facebook is reportedly working on enabling encrypted video and audio calls in Messenger.

App researcher and enthusiast Jane Wong found out about the unreleased feature. They shared via Twittera screenshotof a Secret Conversation with audio and video call icons on the top corner. It also says the calls will be "end-to-end encrypted across all your active mobile devices."

Extending capabilities

The encrypted video and audio call feature will be an extended capability of the secret conversations released in 2016.

Messages sent in "secret conversations" are end-to-end encrypted. It means that only the sender and the receiver have access to the messages. Not even Facebook can see them. Additionally, the messages will only be available on selected devices. Users can also set timers that will make the messages disappear after the indicated period.

The secret conversation feature of Messenger uses the same protocol as Signal, an open-source privacy-focused messaging app developed by Open Whisper Systems.

Facebook rolled out this feature to protect users when discussing private information, which may be related to health issues, illnesses, or when sending financial information. With the addition of encrypted audio and video calls, the feature will have more use cases.

However, it is still unclear if and when the extended capability of the secret conversation feature will be released.

Expected Resistance from Governments

Should Facebook enable end-to-end encrypted audio and video calls, they can expect opposition from various governments.

In anopen letter, government officials from the United Kingdom, the United States, and Australia called on Facebook to stop their plans for end-to-end encryption across their messaging app.

According to them, "companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes." Law enforcement agencies fear that encryption of the messaging apps will prevent them from investigating illegal activities conducted via Facebook and similar apps.

However, Facebook frowned upon this proposal of governments to build backdoors in their apps. In a closed-door meeting with employees, Mark Zuckerberg, CEO of Facebook, said: "We think it is the right thing to protect people's privacy more, so we will go defend that when the time is right."

A Privacy-Focused Approach

Facebook did not have a reputation for protective privacy services, so the company's turn to a privacy-focused approach made headlines. In apostby Zuckerberg, he explained his belief that "the future of communication will increasingly shift to private, encrypted services." People will want a world where they can speak privately and live freely.

Their privacy-focused platform was built around seven principlesincluding private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.

Many believed this platform is a response to the revelation that Facebook let Cambridge Analytica, a British election consultancy, harvest the data of 87 million Facebook users.

2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.

Read the original:
Facebook May Enable Encrypted Audio and Video Calls - Tech Times

Ward 2 Councillor Bill Gordon was formerly in charge of IT at the Midland Police Services, and is now being sued by the town of Midland for not handing over the encryption key for the Midland Police Services servers.

Ryan Carter/The Globe and Mail

Ever since the Ontario Provincial Police took over patrolling duties in the small town of Midland, by the scenic shores of the Georgian Bay, the computer servers of the defunct local police service have sat idle in a municipal building monitored by security guards.

No Midland official has been able to see the content of these three servers because they were encrypted before they were handed over to the town.

In an unusual modern, digital twist to small-town politics, Midland is now suing its former police chief and a town councillor in a bid to recover the encryption key that would unlock the computers.

Story continues below advertisement

The dispute, which follows the towns decision to disband its police force and replace it with the OPP, underlines the legal and ethical challenges that arise when disposing of electronic records and e-mail archives.

The town is portraying former police chief Mike Osborne and Councillor Bill Gordon, who also was the Midland polices IT manager, as rogue ex-employees who have taken public records hostage.

The two men, however, argue that municipal employees have no business poking into confidential files that hold details about past investigations, suspects names, victims statements or information about young offenders.

Unlocking the computers would also enable the town to see Mr. Osbornes past e-mails, which potentially hold information that could be used in civil suits embroiling the former top cop and Midland.

Midlands court application against Mr. Osborne and Mr. Gordon, which was filed earlier this fall, is the latest move in a three-way legal battle that also involves a law firm claiming unpaid legal fees from the town.

This is a very precarious situation, ethically and legally, that were in. Its unprecedented, Councillor Jonathan Main said during a lengthy town council debate on Aug. 14 preceding a vote to sue Mr. Osborne and Mr. Gordon. ... its truly unfortunate that we got to this place where we are.

While council discussed whether to sue him, Mr. Gordon sat in the audience, having removed himself from the debate to avoid a conflict of interest.

Story continues below advertisement

Story continues below advertisement

In a court affidavit, he said that, as a civilian employee and special constable of the Midland Police Service, he had taken an oath of secrecy preventing him from releasing the encryption key until he was sure that confidential records would be properly handled.

Mr. Gordons court filings allege that the towns bid to access the computers is motivated by its desire to get its hands on Mr. Osbornes e-mails. The town has done nothing to mitigate. In fact, it has charged ahead with litigation, he said in court papers. He further noted that the town has a poor record for computer security, having to pay a ransom after a hacker shut down Midlands computer systems for weeks last year.

The town, however, says it now has responsibility for police records that were not transferred to the OPP or the province. The town of Midland becomes the custodian of that information. Were not doing anything less. Were not doing anything more, town lawyer Amanpreet Singh Sidhu told the Aug. 14 council meeting.

Midland is a community of 17,000 people, 160 kilometres north of Toronto. According to its court application, the town began considering whether to contract the OPP in the early 2010s.

Mr. Osborne was unhappy about the move. In a claim filed against the town, the former police chief alleges that supporters of the OPP takeover ran a smear campaign against him.

Eventually, the town voted to contract the OPP, which took over on Feb. 8, 2018. That same day, the law firm Johnston & Cowling LLP sued Midland and its police service board, saying it was owed $355,000 in unpaid fees and interests.

Story continues below advertisement

Most of that sum stemmed from a disciplinary prosecution against a Midland police officer. In a counterclaim, the town blamed Mr. Osborne for overshooting the $100,000 annual budget for legal expenses.

A police officer speaks with a citizen in front of the Ontario Provincial Police office building in Midland, Ont., on Oct. 2, 2019.

Ryan Carter/The Globe and Mail

Mr. Osborne responded with his own suit, alleging that the police service board chair, George Dixon, was a friend of the officers uncle, had discussions with the officer and meddled in the case, driving up legal costs.

Mr. Osborne and his lawyer didnt answer requests for comments from The Globe and Mail.

Mr. Dixon denies the allegations, explaining that his contacts with the officer and his uncle stemmed from the close-knit nature of the town.

In a statement e-mailed to The Globe, Mr. Dixon said he was acquainted but not socially close to the officers uncle, who is well known in the community. He said he met the officer to discuss other matters, because the man was also a union representative.

As for his intervention in the file, Mr. Dixon said I was interested in avoiding potential future liability claims by the officer once Midland Town Council decided to opt for OPP policing.

Story continues below advertisement

In another document, a letter he sent to council, Mr. Osborne alleged that the efforts to access the computer servers were an bid to pry into his e-mails. It is personal, and Chair Dixon has expressed his wish to read our e-mail, he said in the Aug. 17, 2018, letter.

Mr. Dixon said the e-mails are business records of the Midland police and not personal property of employees. The law firms invoices refer to e-mails from Mr. Osborne, Mr. Dixon said. Defending the Johnstone & Cowling lawsuit requires the board and its legal advisers to know about the communications on these files.

Correspondence tabled at council shows that Mr. Sidhu asked the OPP to charge Mr. Osborne and Mr. Gordon. However, a senior counsel for the provincial police said in an April 3, 2019, letter that they wouldnt intervene. The dispute ... cannot be resolved by the OPP," he wrote.

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the days most important headlines. Sign up today.

See the article here:
Ontario town of Midland takes legal action in bid to unlock encrypted local police servers - The Globe and Mail

WhatsApp, pushed onto the backfoot after a Israeli firm's spyware infiltrated the messaging service and compromised users' phones, has gone on the offensive with an assertive statement aimed at the government and the makers of phone software.

On November 5, the Facebook-owned company defended its 'end-to-end' encryption, suggesting pushback on another issue where it is locked in a battle with the governmentthe traceability of messages on social media.

WhatsApp also took a potshot at Google and Apple, saying that vulnerabilities in phone operating systems allowed the Pegasus spyware of Israel's NSO Group to gain complete visibility of infected phones. Most phones run Google's Android or Apple's iOS software.

"Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones," the statement said.

The spyware, Facebook says, was installed through a WhatsApp call routed by NSO over Whatsapp servers. This was accomplished by reverse-engineering Whatsapp and tricking the server into believing that spyware code was Whatsapp traffic. Therefore, technically, the end-to-end encryption feature was not broken.

The wholesale compromise of infected phones by Pegasus came to light after Facebook sued NSO Group in a US court. More than 1,400 phones and devices have apparently fallen victim globally, with 121 of them in India - the main targets being human rights activists, journalists and lawyers.

NSO says Pegasus is sold only to governments.

The pushback on end-to-end encryption is significant because the government has been insisting that Whatsapp and other messaging providers allow for traceability of messages so that government agencies can track down the origin of messages. This, the government says, is necessary for law-enforcement agencies fighting crimes like terrorism, child pornography or the propagation of hate speech.

But Facebook's position is that it is not possible to work traceability into its software without compromising on end-to-end encryption which ensures that only senders and receivers of messages have the keys to unlock and read those messages.

The Supreme Court has transferred to itself a number of petitions on the issue of traceability. Hearings are due to begin in January 2020.

On November 3, in its response to government questions, Whatsapp said that in May it was not certain that the attack was launched by the NSO Group. But, WhatsApp had found out the vulnerability on April 29, and informed the government in May.

"That time even WhatsApp was not aware that it was the NSO Group and Indians were affected," said a source at WhatsApp.

Echoing its lawsuit, Facebook has told the government that the NSO Group violated WhatsApp's terms and conditions.

WhatsApp in its US case filing, which was sent to the government, also mentioned that the NSO Group leased servers and internet hosting services in different countries, including the United States, in order to connect the target devices to a network of remote servers intended to distribute malware and relay commands to the target devices.

See the article here:
Exclusive | WhatsApp says its encryption works fine, swipes at Google and Apple - Moneycontrol