Indias federal government questioned Facebook Inc to aid it decrypt personal messages on its network, citing nationwide safety demands in a court listening to on privateness legal rights on social media platforms. Indias Legal professional Typical K.K. Venugopal explained to the Supreme Court docket that it was the accountability of social media firms to share information anywhere there was a threat to national security. A terrorist simply cannot declare privateness, Venugopal mentioned. For Fb and WhatsApp to say they are unable to decrypt is not satisfactory. Facebook-owned WhatsApp, which has about 400 million users in India, allows teams of hundreds of consumers to exchange texts, pics and movies employing end-to-stop encryption, beyond the oversight of impartial reality checkers or even the system itself.

The authorities said in an affidavit it prepared to body new principles to govern social media keeping in look at the at any time expanding threats to personal legal rights and nations integrity, sovereignty, and stability. They cant come into the country and say we will establish an non-decryptable procedure, Venugopal explained, referring to significant net platforms.

But Facebooks lawyer Mukul Rohtagi told the court docket the corporation was not obliged to share users info with the Indian government.

Advertisement

The scenario went to the Supreme courtroom just after Facebook in August asked the best court to listen to all circumstances regarding privateness and curbs on social media usage, local media reported. WhatsApp has been striving to come across ways to reduce its misuse, next issues that the system was getting utilised to spread disinformation, but has reported it will not dilute end-to-conclusion encryption. Rohtagi stated area regulations neither mandated corporations to share facts with government organizations, nor positioned the onus of facilitating a method of decrypting messages on them. The guidelines say if I have the crucial, I could give the key. But I never have the essential myself, Rohtagi reported, referring to Fb or WhatsApp servers which are found outside of India.

The Supreme Court stated it will now consolidate all pending conditions on the problem from decreased courts throughout the state and listen to it commencing the final 7 days of January.

Tushar Mehta, a lawyer for the federal government, mentioned there was no intention to invade into private lives of citizens, and India merely preferred to guard its citizens against extremism. But Choose Deepak Gupta questioned the federal government legal professionals to clarify why the onus of facilitating decryption should really be on the social media providers. He stated the law lets the federal government to request support to decrypt, but does not recommend the organizations do it for the authorities, he told Venugopal. Nobody helps prevent you from possessing your personal method of decryption, Gupta claimed.

Get the most effective of News18 delivered to your inbox subscribe to Information18 Daybreak. Stick to News18.com on Twitter, Instagram, Facebook, Telegram, TikTok and on YouTube, and keep in the know with what is occurring in the earth all-around you in real time.

See the article here:
Governing administration of India And WhatsApp Are Debating Encryption Guidelines: All You Require to Know - asume tech

Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, according to a lobbying presentation obtained by Motherboard.

The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.

Mozilla, which makes Firefox, is also planning a version of this encryption.

"The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck.

"We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.

A screenshot of the lobbying presentation. Image: Motherboard.

In the presentation, Comcast paints this type of encryption as something that will fundamentally change the internet and will centralize power under Google.

"The unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and other areas," Comcast said in the presentation.

"Congress should demand that Google pause and answer key questions," a section of the presentation reads. "Why is Google in such a rush?" reads another.

Google recently announced it would soon start testing the enforcement of DNS over HTTPS, or DoH. A DNS request is essentially a record of which website someone visited. Generally speaking, with DoH those requests would be harder to read for anyone intercepting the request, such as a hacker on the same Wi-Fi network, a government agency sitting on the wire, or the user's ISP.

"As part of our long standing commitment to making the web safer to use, we will be conducting an experiment to validate our implementation of DNS-over-HTTPS (aka DoH) in Chrome 78," Kenji Baheux, Chrome Product Manager, wrote in a blog post in September.

The Comcast document, which has been presented to policy makers, says that encrypting browsing data "will cause radical disruption." It also mentions raising issues for law enforcement; the slide deck does not, however, point out that DNS providers who respond to law enforcement requests can still provide relevant information to authorities.

But much of the deck pushes one fundamental premise: that Google is centralizing DNS with its DoH, creating a monopoly over the data and its security.

"If Google encrypts and centralizes DNS, ISPs and other enterprises will be precluded from seeing and resolving their users DNS," the presentation says.

Do you know anything else about ISPs and their use of data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

That's not accurate, though. Google isn't actually forcing Chrome users to only use Google's DNS service, and so it is not centralizing the data. Google is instead configuring Chrome to use DoH connections by default if a user's DNS service supports it. A DNS service helps a web browser translate web domains into actual IP addresses to visit. Typically, ISPs will do this for customers, but Google, Cloudflare, and other cybersecurity companies also run their own DNS servers that people can use.

"One of the important points to highlight is that Google has no publicly announced plans to override the users configured DNS resolver as part of their implementation of DoH," Max Hunter, engineering director at the Electronic Frontier Foundation (EFF) wrote in an email. "If Google did override the OS-configured resolver with their own, EFF would be very concerned about the potential for turnkey surveillance and censorship that level of DNS centralization would bring."

Google has no plans to centralize or change peoples DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate," a Google spokesperson told Motherboard in a statement.

"We're currently experimenting with new ways to enhance online privacy and security while maintaining existing content filtering and parental controls. Our proposal for DoH enables secure connections and does not change a users DNS, so all existing filters and controls remain intact. Furthermore, there is no change to how DNS providers work with law enforcement in accordance with court orders," the Google spokesperson added.

A screenshot of the lobbying presentation. Image: Motherboard.

Even the maintainers of competing web browsers aren't buying Comcast's arguments.

"What this deck is attempting to do is take advantage of a lot of anti-Google sentiment that exists right now, build on top of that an inaccurate account of exactly what we are doing to stop that deployment," Erwin from Mozilla added.

Mozilla's own plan for DoH differs somewhat to Google's. Erwin explained that Mozilla is in the process of rolling out DoH by default to a 5 percent slice of randomly selected users, with the plan to expand DoH across its user base. Mozilla is doing that in partnership with Cloudflare, which acts as the DNS resolver.

"The real one truthful point in this ISP lobbying effort is that DoH does represent a fundamental shift in the way the web works; and that's deliberate, on our part," Erwin said.

Ellen Canale, director of corporate communications at Mozilla, wrote in an email, "This is part of a pretty aggressive campaign we've seen from the ISPs to protect their control over DNS traffic and the tracking opportunities it provides them."

Last month, multiple trade groups that represent ISPs' interests wrote a letter to lawmakers urging them to call upon Google to not implement DoH. Hunter shared a copy of a letter EFF sent to Congress along with other organizations in response to the trade bodies' letter.

"Congress should support systemic adoption of DoH in order to close up one of the largest privacy gaps remaining on the Internet while furthering the cause of Internet freedom in many parts of the world in dire need of it," the EFF letter, also signed by Consumer Reports and the National Consumers League, reads.

"The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers."

Comcast, for its part, stressed it does not sell customers' browsing data.

"Where our Xfinity Internet customers go on the Internet is their business, not ours. We do not track the websites or apps our customers use through their broadband connections. Because we dont track that information, we dont use it to build a profile about our customers and have never sold that information to anyone," a spokesperson wrote in an emailed statement.

"We are supporters of encrypting DNS and want to make sure that it is implemented in a careful, collaborative manner for the benefit of Internet customers to ensure that important parental controls, cybersecurity protections and network security features are not broken in the process," the spokesperson said in a second statement. "We believe that engagement by Google and Mozilla with other players in the Internet ecosystem would lead to a collaborative, industry-wide solution that protects everyonejust as has happened with other significant changes to Internet architecture. Any unilateral action that limits customer choice will not work."

Of course, it's worth noting that, in 2017, ISPs lobbied Congress to make it possible to sell your browsing data without your consent.

"Either, they are doing something with this data today that is not transparent to users, or they are working incredibly hard to protect a future business model," Erwin said.

Motherboard has embedded the full lobby slide deck below.

Subscribe to our new cybersecurity podcast, CYBER.

More:
Comcast Is Lobbying Against Encryption That Could Prevent it From Learning Your Browsing History - VICE

The report on the global encryption software market provides qualitative and quantitative analysis for the period from 2017 to 2025.

Read the full report: https://www.reportlinker.com/p05806461/?utm_source=PRN

NEW YORK, Oct. 29, 2019 /PRNewswire/ -- The report predicts the global encryption software market to grow with a CAGR of 16.38% over the forecast period from 2019-2025. The study on encryption software market covers the analysis of the leading geographies such as North America, Europe, Asia-Pacific, and RoW for the period of 2017 to 2025.

The report on encryption software market is a comprehensive study and presentation of drivers, restraints, opportunities, demand factors, market size, forecasts, and trends in the global encryption software market over the period of 2017 to 2025. Moreover, the report is a collective presentation of primary and secondary research findings.

Porter's five forces model in the report provides insights into the competitive rivalry, supplier and buyer positions in the market and opportunities for the new entrants in the global encryption software market over the period of 2017 to 2025. Further, IGR- Growth Matrix gave in the report brings an insight into the investment areas that existing or new market players can consider.

Report Findings1) Drivers Growing number of cyber-attack cases across the world Increasing adoption of the cloud-based technologies2) Restraints Availability of pirated encryption software3) Opportunities Increasing awareness and demand for integrated data protection solutions

Research Methodology

A) Primary ResearchOur primary research involves extensive interviews and analysis of the opinions provided by the primary respondents. The primary research starts with identifying and approaching the primary respondents, the primary respondents are approached include1. Key Opinion Leaders associated with Infinium Global Research2. Internal and External subject matter experts3. Professionals and participants from the industry

Our primary research respondents typically include1. Executives working with leading companies in the market under review2. Product/brand/marketing managers3. CXO level executives4. Regional/zonal/ country managers5. Vice President level executives.

B) Secondary ResearchSecondary research involves extensive exploring through the secondary sources of information available in both the public domain and paid sources. At Infinium Global Research, each research study is based on over 500 hours of secondary research accompanied by primary research. The information obtained through the secondary sources is validated through the crosscheck on various data sources.

The secondary sources of the data typically include1. Company reports and publications2. Government/institutional publications3. Trade and associations journals4. Databases such as WTO, OECD, World Bank, and among others.5. Websites and publications by research agencies

Segment CoveredThe global encryption software market is segmented on the basis of deployment, application, and end user.

The Global Encryption Software Market by Deployment On-premise Cloud

The Global Encryption Software Market by Application Database Encryption Disk Encryption Cloud Encryption Communication Encryption File/Folder Encryption

The Global Encryption Software Market by End User IT and Telecommunication BFSI Healthcare Aerospace and Defence Other End Users

Company Profiles Microsoft Corporation Symantec Corporation International Business Machines Corporation McAfee, LLC Thales e-Security, Inc. (Thales Group) Sophos Group plc Trend Micro Incorporated Check Point Software Technologies Ltd. ESET, spol. S r. o. Proofpoint, Inc. Other Companies

What does this report deliver?1. Comprehensive analysis of the global as well as regional markets of the encryption software market.2. Complete coverage of all the segments in the encryption software market to analyze the trends, developments in the global market and forecast of market size up to 2025.3. Comprehensive analysis of the companies operating in the global encryption software market. The company profile includes analysis of product portfolio, revenue, SWOT analysis and latest developments of the company.4. IGR- Growth Matrix presents an analysis of the product segments and geographies that market players should focus to invest, consolidate, expand and/or diversify.

Read the full report: https://www.reportlinker.com/p05806461/?utm_source=PRN

About ReportlinkerReportLinker is an award-winning market research solution. Reportlinker finds and organizes the latest industry data so you get all the market research you need - instantly, in one place.

__________________________Contact Clare: clare@reportlinker.comUS: (339)-368-6001Intl: +1 339-368-6001

Continued here:
Global encryption software market is expected to grow with a CAGR of 16.38% over the forecast period from 2019-2025 - Salamanca Press

Seclore's Email Encryption Plus enables Clearswift customers to automatically add persistent, granular usage controls to email content and attachments.

MILPITAS, Calif., Oct. 29, 2019 /PRNewswire/ --Seclore, provider of the industry's first, open Data-Centric Security Platform, and Clearswift, provider of adaptive data loss prevention and email security solutions, today announced their partnership to bring next-generation email encryption solutions to enterprises.

As email remains the primary communication channel for sharing information, organizations must have control over who accesses and shares sensitive data. Often referred to as the "last-mile" problem, the challenge is heightened by growing privacy regulations. Granular and automated security of emails sent within and outside the enterprise continues to be a challenge.

With the addition of Seclore Email Encryption Plus, Clearswift customers can automatically attach persistent, granular usage controls to protect email content and attachments flowing in and out of the business, ensuring sensitive information remains under the organization's control no matter where it is sent. The automated nature of the solution eliminates the need for end-users to take action to protect emails as the action is based on the content and policy. For email recipients, the innovative browser-based solution eliminates the need to download and install agents in order to access the information.

"In addition to growing data privacy requirements, the risk of data breaches and leaks is a major concern to organizations. After considering several data-centric security offerings, we chose Seclore due to its frictionless experience, ease of integration, and regulatory compliance reporting," said Dr. Guy Bunker, CTO, Clearswift. "We are committed to offering Clearswift customers the most secure solution for sharing sensitive information through email and look forward to working with Seclore to keep our customers' information protected, revocable, and trackable, regardless of where it travels."

"Data security and privacy continue to be a top concern for any business, and we are excited to partner with Clearswift to deliver next-generation email encryption for current and future Clearswift customers worldwide," said Vishal Gupta, CEO, Seclore. "With the seamless integration of Seclore Email Encryption Plus, businesses can rest assured that outgoing, as well as incoming information shared through email, can only be utilized by approved users."

Benefits of the combined Seclore Email Encryption Plus and Clearswift Solutions, include:

To learn more about Seclore and request a product demo, visitwww.seclore.com

About Seclore:Seclore offers the market's first open, browser-based Data-Centric Security Platform, which gives organizations the agility to utilize best-of-breed solutions to discover, identify, protect, and track the usage of data wherever it goes, both within and outside of the organization's boundaries. The ability to automate the data-centric security process enables organizations to fully protect information with minimal friction and cost. Over 2000 companies in 29 countries are using Seclore to achieve their data security, governance, and compliance objectives.www.seclore.com

About Clearswift:

Clearswift is trusted by global organizations to protect critical information, giving teams the freedom to securely collaborate and drive business growth. Clearswift's unique technology supports a straightforward and 'adaptive' data loss prevention solution that avoids operational interruption and enables organizations to gain visibility and take control of their critical information 100% of the time.

http://www.clearswift.com

Contact:

Lynne CourtsVP of Global MarketingSeclore(650) 796-6970lynne.courts@seclore.com

Related Images

image1.png

SOURCE Seclore

http://www.seclore.com

See the original post here:
Seclore and Clearswift Partner to Combine the Best-of-Breed Email Security, Encryption, and Rights Management for Enterprises - PRNewswire

October 28, 2019

Information Services and Technology (IST) is introducing a new encryption service to protect data on all IST supported Windows and MAC devices. Encryption will make your data unreadable if your device is misplaced, lost or stolen.

Encryption is a method of preventing unauthorized access to electronic data. Encryption scrambles your data and makes it accessible to only authorized parties (using a UMNETID and Password). Other means of accessing your data will be unsuccessful.

Security breaches can cause a lot of wasted time, money and stress. We are committed to keeping your data safe and for your eyes only!

IST uses the Software Centre to deploy encryption on your device. You may experience a minor slow down of your device during the brief installation of encryption. Once installed, encryption will have very little impact on you or your device.

Please note that personal devices (i.e. devices not owned by the university) are not included in this initiative.

Your department will receive notification before encryption is deployed to your area.

If you have any questions or concerns, please contact the IST Service Desk (204-474-8600).

IST Communications

See the original post:
A new initiative to protect university data is underway! - UM Today

by Dan Kobialka Oct 25, 2019

Cybercriminals are using MedusaLocker ransomware to encrypt the files of victims computers, according to Bleeping Computer.

MedusaLocker was discovered last month by MalwareHunterTeam. Since that time, MedusaLocker samples have been submitted to ID Ransomware, a MalwareHunterTeam website that enables end users to upload a ransom note or sample encrypted file to identify ransomware used to encrypt data.

MedusaLocker performs various startup routines to prepare a computer for encryption, Bleeping Computer reported. It ensures that Windows networks are running and mapped network drives are accessible,identifies and stops security program processes and closes all data files and makes them available for encryption.

MedusaLocker then clears Shadow Volume Copies so that they cannot be used to restore files. It next removes backups made with Windows backup and disables Windows automatic startup repair.

Finally, MedusaLocker creates a ransom note that is placed in each folder that contains encrypted files. MedusaLocker also provides two email addresses to contact for ransom payment instructions.

Hackers use MedusaLocker and other ransomware families to attack organizations across all industries, and theU.S. Department of Homeland Security (DHS) recently offered several tips to help organizations combat ransomware attacks, including:

MSSPs also can provide endpoint detection and response (EDR), security information and event management (SIEM) and other services to help organizations address ransomware attacks. Furthermore, MSSPs can provide organizations with recommendations to improve their security posture.

Read the original post:
MedusaLocker Ransomware: Here's What MSSPs Need to Know - MSSP Alert

Unfortunately, the bad guys use encryption, too

Every time you connect to theinternet, whether its from a phone, tablet, or computer, you accept a certainlevel of risk. Hackers continue to find new ways to exploit security flaws andcompromise your device or data. You need to be on alert at all times in orderto avoid dangerous malware and other attacks that sometimes come from where youleast expect them.

When you see a padlock icon at the top of your browser, it means that youre communicating with the site you are viewing via a connection encrypted with a valid SSL/TLS certificate. But many people make the mistake of assuming that as long as an SSL certificate is present, then they are safe from all forms of attack, end of story. In this article, well explore how new types of malware are actually being hidden behind this trusted symbol.

SSL encryption is critical for any site or application that requiressensitive information to be transferred. This includes passwords, credit cardnumbers, and other financial data. SSL certificates are an excellent defensetactic against intruders whore trying to eavesdrop on your internet activity,protecting your data from criminals. Heres the thing, though: bad guys can useencryption, too. And hackers and cybercriminals are using SSL/HTTPS to hidemalicious code.

Lets hash it out.

Companies and organizationsspend a lot of money and resources on IT security solutions. One popularapproach is to combine intrusion detection systems and firewalls to monitor andanalyze all incoming traffic to your local network. The idea is for the systemto automatically detect and block cyber attacks and hacking threats before anyusers become vulnerable.

For example, lets say Bob incustomer service clicks on a link in a phishing email that leads to a URL withmalware. The organizations security systemscould detect and block this visit before Bobs machine can become infected withmalware.

However, there is an inherentloophole in how intrusion detection systems are built to operate. They involvethe scanning of network traffic to identify patterns that correspond to malwareor other malicious attacks. If the systems are unable to decode the full bodyof each incoming network request, then they remain blind to a certain portionof traffic.

For example, when youdownload a document from an external website, your firewall or intrusiondetection system can inspect the packets of data that come through the localnetwork. But if that communication is happening over an SSL connection, thenthe system cannot see through the encryption to detect what is really insidethe document.

Some newer intrusion detection solutions are introducing the concept of deep packet inspection, where the tool looks at the lower levels of each network request to understand more about its content. But not many organizations have this option available to them, which means that data passing over HTTPS could be a threat.

Another technique for detecting the presence of SSL malware is SSL inspection. This is the process of intercepting SSL/TLS-encrypted internet communication between the client and server. Interception can be executed between the sender and the receiver, and vice versa (receiver to sender). This, strangely, is the same technique used in man-in-the-middle (MitM) attacks, but if deployed carefully can be used to filter out malware in SSL. (The key difference between inspection and a man-in-the-middle attack is that with SSL inspection, the network administrator modifies the computers to allow inspection only by the authorized device/certificate.)

To understand how hackers encrypt malware with SSL, we need to look at the Transport Layer Security (or TLS,) which refers to the encryption process that goes on behind SSL. The latest Google numbers tell us that 93% of the internet is now encrypted. As discussed, it is designed to be locked to all outside parties, including firewalls that dont support deep packet inspection.

When it comes to SSL malware, hackers are not able to inject directly into existing streams of HTTPS content. For example, if you are shopping on Amazon and submit your credit card number to pay for a book, that information is transmitted over SSL. If a hacker tries to modify that traffic and inject malware, your browser will notice that the keys have changed and will automatically reject the request.

However, there are ways around this problem. One of the most common is for cybercriminals to get free SSL certificates for their sites that contain malware. Though legitimate SSL certificates are not expensive particularly given their importance in protecting data from theft hackers may find it easier to get a free certificate without using any financial info that could be used to track them.

Another variation on this technique for the delivery of SSL malware is for criminals to use SSL certificates on phishing sites that deliver malicious code to victims systems while looking like a legitimate websites. The hacker will send out a series of fraudulent emails that look like they are coming from a reputable sources. If users click on them, they will be directed to websites that look secure because they have free SSL certificates. At that point, the hackers can embed their malware into the encrypted traffic and try to bypass any firewall system.

These types of attack are becoming worryingly prevalent. Security Week reported in 2017 that in the first half of that year, Zscalers products blocked roughly 600,000 threats hidden in encrypted traffic every day. That number grew to 800,000 in the second half of the year, which represents an increase of 30%.

Other security analysts have also raised concerns. As Bill Conner, CEO of SonicWall, told TechRepublic earlier this year, SSL is now implicated in 4.2% of malware. That represents, he says, a 400% increase over the previous year. Thats because of the ease of finding bad SSL certificates, he continued, but also because only 5% of customers are turning on DPI, deep packet inspection for SSL.

The important thing to remember is that SSL does not guarantee safety. It simply ensures that your requests are encrypted. But the actual data being transmitted can still contain dangerous elements, including viruses and other forms of malware. Therefore, you should always be suspicious when visiting a new website. (Note: If the website in question is using an organization validation [OV] or extended validation [EV] SSL certificate, which are very hard for hackers to get, you can check their certificate details to get additional details about the organization thats running the website.)

Staying safe online requiresa consistent level of diligence. Your best bet is to take proactive steps tocontrol and protect your online privacy. Here are a few tips to protect againstSSL malware and other threats:

Dont make the mistake of blaming this on SSL. Without it, the internet would be a MUCH more dangerous place. With the current level of hacking, going anywhere online would be hazardous. You would not be able to trust that your passwords and credit card numbers were being sent safely anywhere. The larger point here is that even when an SSL connection is present, remain aware that you still can be a target thanks to malware or other threats hidden inside of SSL traffic.

No need to be afraid. Just be vigilant with your cybersecurity strategy.

As always, leave any questions or thoughts in the comments!

Read the rest here:
A Sneaky Online Security Threat: Encrypted Malware in SSL - Hashed Out by The SSL Store - Hashed Out by The SSL Store

The federal government has authorized your internet service provider to spy on you. The right was enshrined by a 2017 act of Congress that cancelled anti-spying regulations enacted by the Obama-era Federal Communications Commission. Today, your ISP can log every place you go online and use that data any way it wants, such as building user profiles for its own or other companies advertising platforms.

But ISPs most powerful spying tool is now easy to block, by encrypting whats called a DNS requesta bit of data that announces the websites you visit. Mozillas Firefox browser already offers DNS encryption as an option, and its about to turn it on by default in the coming days or weeks. This protects you not only from a snooping ISP but also from a hacker who wants to watch your surfing or even redirect you to bogus sites containing malware.

Google also plans to make DNS encryption possible in its Chrome web browser and Android operating system, although in a much slower fashion that involves coordinating with the internet service providers. Nevertheless, ISPs recently sent a letter to six House and Senate Committees asking them to stop Google from moving forward. News site Motherboard also unearthed a misleading slide deck that Comcast lobbyists are using to sway politicians.

Today, Comcast published a post announcing that it does not track the websites customers visit or the apps they use. Comcast further says that it doesnt build profiles and has never sold user information. These are all voluntary measures, however. Theres no law or regulation (at least at the national level) to prevent an ISP from doing any of this.

While the politics play out, you can take simple steps right now to secure your surfing. Heres a quick explanation of how DNS works, and how to encrypt it.

Typing Google.com into your browser means nothing to the internet, which needs a numerical IP address like 172.217.7.196 in order to find Googles web servers, which host its site. To resolve the problem, your browser first visits a domain name system (DNS) server, which maintains a lookup table of web domains and their corresponding IP addresses. By default, your computer (or phone or tablet) uses the DNS server provided by your ISP, giving the company a handy list of all the sites you visit.

The privacy solution is called DNS over HTTPS, which uses the same encryption that secures your connections to most websites. (You can spot those web addresses because they start with https and are designated by a lock icon.) Mozilla is the furthest along, introducing both the encryption technology and an encrypted DNS service provider, run by cloud computing company Cloudflare. The latter has agreed to purge any data it collects and not provide it to any other parties. Mozilla is close to signing on additional DNS providers under the same terms, says Marshall Erwin, senior director of trust and security at Mozilla.

The easiest fix is to use the Firefox browser, as the switchover to DNS over HTTPs is about to start. If you just cant wait, or you want to use another browser, heres what to do.

On the desktop

To enable DNS encryption in Firefox, click the hamburger (three horizontal line) icon on the upper right of the program window. Click Preferences > General > Network Settings, scroll to the bottom of the popup window and check the box next to Enable DNS over HTTPS.

If you prefer another browser, youll need to change the DNS settings in your computers operating system. Cloudflare offers detailed instructions for Windows, Mac, and Linux. While the instructions are straightforward, bear in mind that making a mistake here could knock your whole system offline until you figure out what you did wrong.

On mobile devices

It doesnt matter what browser you use on Android or iOS devices. Cloudflare provides a free app called 1.1.1.1 that automatically shifts all of your internet-connected apps (not just browsers) to its encrypted DNS service. The 1.1.1.1 app also provides a free virtual private network (VPN) that encrypts all your internet traffic, protecting you even more from snoops and hackers.

This article has been updated with comment from Comcast describing a policy of not tracking users via DNS. A previous version of the headline erroneously implied that Comcast was spying on users.

Follow this link:
Here's how to stop Comcast, Verizon, and other ISPs from spying on you - Fast Company

In an op-ed published Tuesday by The Guardian, American whistleblower Edward Snowden expressed alarm over global governments' efforts to undermine encryption, highlighting a recent attempt by the United States, United Kingdom, and Australia to pressure Facebook to create a "backdoor" into its encrypted messaging applications.

"The true explanation for why the U.S., U.K., and Australian governments want to do away with end-to-end encryption is less about public safety than it is about power."Edward Snowden, whistleblower

"For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the U.S. Intelligence Community's Worldwide Threat Assessmentthat's higher than terrorism, higher than war," wrote Snowden.

"And yet, in the midst of the greatest computer security crisis in history, the U.S. government, along with the governments of the U.K. and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world's information: encryption," he continued. "Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe."

As Snowden noted, "in the simplest terms, encryption is a method of protecting information, the primary way to keep digital communications safe." Messaging apps often use end-to-end encryption (E2EE)which, as the Electronic Frontier Foundation (EFF) explains, "ensures that a message is turned into a secret message by its original sender, and decoded only by its final recipient."

For six years straight, the vulnerability of our computer networks has been the top risk on the US Intelligence Communitys Worldwide Threat Assessment ranked higher than terrorism; higher than war.

This surveillance scheme will make it worse.https://t.co/MFZdRnCvTR

Edward Snowden (@Snowden) October 15, 2019

Facebook-owned WhatsApp already uses E2EE. The New York Times reported in January that Facebook CEO Mark Zuckerberg has ordered its implementation across all company messaging platforms, including Facebook Messenger and Instagram Direct. Acknowledging that encrypted apps could be used for "truly terrible things like child exploitation, terrorism, and extortion," Zuckerberg wrote in blog post on March 6 that "we've started working on these safety systems building on the work we've done in WhatsApp, and we'll discuss them with experts through 2019 and beyond before fully implementing end-to-end encryption."

SCROLL TO CONTINUE WITH CONTENT

On Oct. 4, four top officials from various countriesU.S. Attorney General William Barr, then-acting U.S. Homeland Security Secretary Kevin McAleenan, U.K. Home Secretary Priti Patel, and Australian Minister for Home Affairs Peter Duttonsent an open letter (pdf) to Zuckerberg requesting that "Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens."

Facebook responded by reiterating the company's commitment to its E2EE plans and opposition to backdoors. "We believe people have the right to have a private conversation online, wherever they are in the world," the company said in a statement. "End-to-end encryption already protects the messages of over a billion people every day... We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere."

Encryption is a human right in the digital society. Full stop. We should have it by design and default in the technology we use. I agree with @Snowden "Without encryption, we will lose all privacy. This is our new battleground" https://t.co/9YhAh0UsWn

Francesca Bria (@francesca_bria) October 15, 2019

Although Facebook has thus far resisted government pressure, Snowden warned Tuesday that "if Barr's campaign is successful, the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design. And those communications will be vulnerable not only to investigators in the U.S., U.K., and Australia, but also to the intelligence agencies of China, Russia, and Saudi Arabianot to mention hackers around the world."

Snowden, who worked for CIA and NSA, is now president of the board of directors of the nonprofit Freedom of the Press Foundation. Last month, the whistleblower published a memoir entitled Permanent Record about his experience leaking classified U.S. government documents to the press in 2013, which sparked global discussions about privacy rights and mass surveillance, and led Snowden to seek asylum in Russia.

"When I came forward in 2013, the U.S. government wasn't just passively surveilling internet traffic as it crossed the network, but had also found ways to co-opt and, at times, infiltrate the internal networks of major American tech companies. At the time, only a small fraction of web traffic was encrypted: six years later, Facebook, Google, and Apple have made encryption-by-default a central part of their products, with the result that today close to 80 percent of web traffic is encrypted," Snowden wrote. "Barr, who authorized one of the earliest mass surveillance programs without reviewing whether it was legal, is now signalling an intention to haltor even roll backthe progress of the last six years."

While Barr and his co-signers "invoked the spectre of the web's darkest forces" to justify their opposition to E2EE, Snowden argued that "the true explanation for why the U.S., U.K., and Australian governments want to do away with end-to-end encryption is less about public safety than it is about power: E2EE gives control to individuals and the devices they use to send, receive, and encrypt communications, not to the companies and carriers that route them. This, then, would require government surveillance to become more targeted and methodical, rather than indiscriminate and universal."

Read the original post:
'Without Encryption, We Will Lose All Privacy': Snowden ...

Government-mandated encryption backdoors make countries, and more specifically their election systems, vulnerable to cyber attack, 74% of information security professionals warn.

At the same time, 72% believe laws that allow governments to access encrypted personal data will not make citizens safer from terrorists, according to a poll by security firm Venafi of 384 attendees of the Black Hat USA 2019 security conference earlier in August in Las Vegas.

The findings echo a similar poll of attendees of RSA Conference 2019 in San Francisco in March, which showed 73% of respondents were opposed to government-mandated backdoors.

Governments and law enforcement officials around the world, particularly in the Five Eyesintelligence alliance, continue to push for encryption backdoors, which they claim are necessary in the interests of national safety and security as criminals and terrorists increasingly communicated via encrypted online services.

According to the Five Eyes governments, the increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion.

Last month, the US Senate Intelligence Committee reported that election systems in all 50 states were targeted by Russia during the 2016 election, said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.

We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security. The IT security community overwhelmingly agrees that encryption backdoors would have a disastrous impact on the integrity of our elections and on our digital economy as a whole.

Opponents of encryption backdoors have said repeatedly that government-mandated weaknesses in encryption systems put the privacy and security of everyone at risk the same backdoors can be exploited by hackers.

The survey also shows that 70% of the Black Hat USA respondents believe countries with government-mandated encryption backdoors are at an economic disadvantage in the global marketplace, while 84% would never knowingly use a device or program from a company that agreed to install a backdoor.

Bocek added: On a consumer level, people want technology that prioritises the security and privacy of their personal data. This kind of trust is priceless. Encryption backdoors would not only make us much less safe at a national level, they also clearly have the potential to inflict significant economic and political damage.

In July 2019, US attorney general William Barr said consumers should accept the risks that encryption backdoors pose to their personal security to ensure law enforcement can access encrypted communications. But more recently, Canadas public safety minister Ralph Goodale called for his government to work with internet companies to find a balance between internet privacy and the needs of law enforcement.

In December 2018,the parliament of another Five Eyes member, Australia, passed controversial legislation requiring tech businesses to create encryption backdoorswithin their products, prompting criticism from security and privacy advocacy groups, including theElectronic Frontier Foundation(EFF).

The Australian legislation is based on the UKs equally controversialInvestigatory Powers Act, but the Australian law goes a step further by including the power to compel individual network administrators, sysadmins, and open source developers to comply with secret demands, including potentially to force them to keep their cooperation secret from their managers, lawyers and executive leadership.

The US, Canada, Australia and the UK are all members of theFive Eyesintelligence alliance, which in September 2018called on tech firms to include backdoors in their encrypted productsto give access to law enforcement authorities or face various measures.

The group said it encouraged information and communications technology service providers to voluntarily establish lawful access solutions to their products and services, but warned in astatementthat should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.

View post:
Security pros reiterate warning against encryption backdoors