Security researchers have achieved the first real-world collision attack against the SHA-1 hash function, producing two different PDF files with the same SHA-1 signature. This shows that the algorithm's use for security-sensitive functions should be discontinued as soon as possible.

SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made.

However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still fairly widely used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.

A hash function such as SHA-1 is used to calculate an alphanumeric string that serves as the cryptographic representation of a file or a piece of data. This is called a digest and can serve as a digital signature. It is supposed to be unique and non-reversible.

If a weakness is found in a hash function that allows for two files to have the same digest, the function is considered cryptographically broken, because digital fingerprints generated with it can be forged and cannot be trusted. Attackers could, for example, create a rogue software update that would be accepted and executed by an update mechanism that validates updates by checking digital signatures.

In 2012, cryptographers estimated that a practical attack against SHA-1 would cost $700,000 using commercial cloud computing services by 2015 and $173,000 by 2018. However, in 2015, a group of researchers from Centrum Wiskunde and Informatica (CWI) in the Netherlands, Nanyang Technological University (NTU) in Singapore and Inria in France devised a new way to break SHA-1 that they believed would significantly lower the cost of attacks.

Since then, the CWI researchers have worked with Google, using the company's massive computing infrastructure, to put their attack into practice and achieve a practical collision. It took nine quintillion SHA-1 computations, but they succeeded.

According to Google, it was one of the largest computations ever completed: the equivalent processing power of 6,500 years of single-CPU computations and 110 years of single-GPU computations. It was performed on the same infrastructure that powers Alphabet's AlphaGo artificial intelligence program and services like Google Photo and Google Cloud.

Does this mean that achieving SHA-1 collisions is now within the grasp of most attackers? No, but it's certainly within the capabilities of nation-states. In less than three months, the researchers plan to release the code that made their attack possible so other researchers can learn from it.

"Moving forward, its more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3," Google said in a blog post Thursday. "In order to prevent this attack from active use, weve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public."

Starting with version 56, released this month, Google Chrome will mark all SHA-1-signed HTTPS certificates as unsafe. Other major browser vendors plan to do the same.

"Hopefully these new efforts of Google of making a real-world attack possible will lead to vendors and infrastructure managers quickly removing SHA-1 from their products and configurations as, despite it being a deprecated algorithm, some vendors still sell products that do not support more modern hashing algorithms or charge an extra cost to do so," saidDavid Chismon, senior security consultant at MWR InfoSecurity. "Whether this happens before malicious actors are able to exploit the issue for their benefit remains to be seen."

More information about the attack, which has been dubbed SHAttered, is available on a dedicated website and ina research paper.

Excerpt from:
Stop using SHA1 encryption: It's now completely unsafe, Google proves - PCWorld

Too many places to hide

FBI General Counsel James A. Brady opened up another angle to the global encryption debate. In a Center for Strategic and International Studies (CSIC) panel, Brady claimed that the current trend in full-disk encryption (FDE) may make it easier for criminals to hide their illegal activity.

In the past, phone owners had to enable encryption, which protects our data by turning it into unreadable text. Today, any iOS8 or newer iPhone comes with full-disk encryption, which automatically encrypts hard drive data. Android owners with Android 5.0 Lollipop or later also get full disk encryption. Owners of these encrypted devices are the only ones able to access device data via a key, which is typically a user generated password. Prior to the rollout of full-disk encrypted devices law enforcement could bypass the need for a users key and appeal directly to phone companies for device access.

Weve already seen how this form of widespread encryption can end up costing law enforcement.

In last years high profile Apple vs. FBI debate, an encryption backdoor became a potential solution in cases where law enforcement need to access a criminals device.

This encryption backdoor and the FBIs questioning of full-disk encryption should keep business owners on alert. Phones are increasingly becoming extensions of our offices and meeting rooms. Businesses should push for the most innovative and widespread encryption technology when it comes to protecting their data and the data of their customers, especially as more of our business communications happen on phones. This doesnt mean law enforcement cant reconcile the need for sophisticated data protection with public safety.

A quicker system of gathering and analyzing unencrypted meta-data, such as the date and time of calls can help speed up an investigation. Law enforcement under the correct judicial orders can also take better advantage of cloud based data in their investigations.

Most of all, law enforcement should be proactive about developing their own hacking capabilities for use in the most extreme circumstances.

View post:
Why quality encryption is actually helping hackers hack - The American Genius

The Washington Post and other media organizations have launched Web pages outlining ways you can leak information to them confidentially. Brendan Smialowski/AFP/Getty Images hide caption

The Washington Post and other media organizations have launched Web pages outlining ways you can leak information to them confidentially.

There was a time when a whistleblower had to rely on the Postal Service, or a pay phone, or an underground parking garage to leak to the press.

This is a different time.

A renewed interest in leaks since Donald Trump's surprise election victory last fall, and a growth in the use of end-to-end encryption technology, have led news organizations across the country to highlight the multiple high-tech ways you can now send them anonymous tips.

The Washington Post, The New York Times, and ProPublica have launched Web pages outlining all the ways you can leak to them. ProPublica highlights three high-tech options on its page (in addition to the Postal Service): the encrypted messaging app Signal, an encrypted email program called PGP (or GPG), and an anonymous file sharing system for desktop computers called SecureDrop. The Washington Post goes even further, highlighting six digital options.

Jeff Larson, a reporter at ProPublica, says of all this, "We're living in almost a golden age for leaks."

Some tools like SecureDrop, created by the Freedom of the Press Foundation, were made just for newsrooms to accept anonymous tips. Others, like Signal, the premier encrypted messaging app on the market right now, were created with a different, and more universal purpose.

Moxie Marlinspike, one of the creators of Signal, says it's for everyone who might not be aware that a lot of their communication might not actually be private.

"What we're really trying to do is bring people's existing reality in line with people's expectations," Marlinspike says. "Most of the time when people send someone a message, their assumption is that that message is only visible to themselves and the intended recipient. It's always disappointing when that turns out not to be true."

SecureDrop, created by the Freedom of the Press Foundation, was designed for newsrooms to accept anonymous tips. SecureDrop/Screenshot by NPR hide caption

Trevor Timm, executive director of the Freedom of the Press Foundation, says newsrooms' and leakers' reliance on these tools also speaks to a new reality.

"We're living in a golden age of leaks but we're also living in a golden age of surveillance," Timm says. "It is very easy for the government, for example, to subpoena a Google, or a Verizon, or an AT&T to get a journalist's phone records, or email records, that tells them who they talked to, when they talked to them, and for how long. Over the past 8 or 10 years, the government has been able to prosecute a record number of journalists, and the primary way they've been able to do this is because of their increased surveillance capabilities."

That heavier scrutiny of the press and its sources has come from both sides of the aisle. This month, President Trump directed the Justice Department to investigate what he calls "criminal leaks" coming from the federal government, and in a speech Friday at the Conservative Political Action Conference, he said journalists should not be allowed to use unnamed sources.

The Obama administration used the Espionage Act multiple times to prosecute leaks (more than any other administration according to PolitiFact), as well as secretly seizing Associated Press reporters' phone records.

While many encryption apps are used to bypass such surveillance of communications between leakers and the press, some apps are being used by staffers within the government to communicate with each other. A recent Washington Post article stated that some White House staffers are relying on an encrypted messaging app called Confide to communicate with each other without using official phones or email, out of a fear of leaks.

But using an app like that to make official White House communications private raises red flags for Chris Lu, former Deputy Labor Secretary under President Barack Obama.

"At the White House and at the Department of Labor," Lu says, "we were given very clear training and guidance about the Presidential Records Acts and maintaining documents." The Washington Post story, he says, "instantly raised red flags whether it was in compliance with the Presidential Records Act. And it clearly is not." (That law is meant to ensure that communications in the White House are maintained for historical purposes.)

Confide CEO Jon Brod says his company advises all users to follow the rules of their employers, if they're using Confide to talk to coworkers.

"There are certain industries and sectors where specific people and certain types of conversations are regulated," Brod says, pointing to financial services, health care, and parts of the government. "If you are in one of those industries or sectors, it's important that you use Confide in a way that conforms to any of those regulations that may be relevant to you."

Of course, the legality and ethics of such communications between government workers, as well as between the press and government leakers, often depends on who you ask.

For Moxie Marlinspike of Signal, there is no question on one thing: whether or not apps such as his are good for society. "I think what we're seeing is things like Signal almost democratizing that ability (to leak)," he says. "So people who are not necessarily at these high-level posts, but just ordinary workers, are able to communicate what's going on to people outside of government. If you're the director of the CIA, you don't need Signal."

But with the growth of apps like Signal and encryption technology, there might not ever be a way to tell just how ubiquitous all this high-tech leaking becomes. Often the data is so secret that there are few metrics to read, if there are any at all. "We don't have any information about our users," Marlinspike says. "That's how end-to-end encryption works: Even us, we don't have that kind of information."

The rest is here:
How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR

Poisonous political divisions have spawned an encryption arms race across the Trump administration, as both the presidents advisers and career civil servants scramble to cover their digital tracks in a capital nervous about leaks.

The surge in the use of scrambled-communication technology enabled by free smartphone apps such as WhatsApp and Signal could skirt or violate laws that require government records to be preserved and the publics business to be conducted in official channels, several ethics experts say. It may even cloud future generations knowledge of the full history of Donald Trumps presidency.

Story Continued Below

The operative word is accountability. You cannot hold an agency or someone accountable if records are not kept and made available, said John Carlin, a former Democratic Kansas governor who served as the archivist of the National Archives from 1995 to 2005. If there is a hearing or investigation someday and no access to records, there is not much you can do.

White House press secretary Sean Spicer has pointedly warned his staff that using encrypted apps would violate a law requiring the preservation of presidential records, POLITICO reported Sunday.

Conservative advocacy groups also denounce the use of encrypted technologies by career employees, comparing it to Hillary Clintons use of a private email server when she was secretary of State. The House Science Committee has demanded an inquiry into the use of encryption by employees at the Environmental Protection Agency although it has shown no similar curiosity about use of encryption in the White House.

Its stunning that its still going on in light of the Clinton email scandal, said Judicial Watch President Tom Fitton, who has been critical of the use of encrypted messaging by both civil servants and the White House. Its no different than what she was doing.

Defenders of federal workers say interest in encryption has skyrocketed as career employees ponder how to respond to an administration they fear will break the law and punish dissent in pursuit of a radical agenda. Jon Brod the co-founder of Confide, a company that offers an encrypted messaging program of the same name said the company has seen a surge in use of its app following the election.

People in the government are finding many uses for encryption, including internal conversations and leaks to the news media.

More than 70 workers from several agencies are using encrypted cellphone apps to arrange nighttime and weekend meetings at homes in the D.C. area to discuss their potential resistance to Trump, said Danielle Brian, executive director of the Project on Government Oversight.

She said the employees want to know what to do if they see something illegal happening at their agencies, how to report misdeeds to Congress or inspectors general, and what is protected under whistleblower laws. The demand is so great that POGO plans to hire a full-time employee to train workers across the country on how to report problems, keep their jobs and use encrypted messages to communicate and organize outside of work.

In addition to the EPA, employees at the State Department, the Department of Homeland Security, the Department of Transportation and other agencies are using encrypted messaging apps, POLITICO has learned.

We are responding to an increasing level of anxiety in the federal workplace about free speech rights and civil liberties, said POGO's Brian, who has attended three private sessions to offer advice on government workers legal protections. This is a whole new world for us.

Federal workers told POLITICO they've adopted encrypted apps because they fear being targeted by Trump's political allies.

"Its very scary," one career civil servant said in an interview, requesting anonymity to avoid possible retaliation. "You dont know who to trust.

Trump has made no secret of his desire to uncover the sources of the many leaks that have roiled the first month of his presidency. The spotlight has finally been put on the low-life leakers! he wrote on Twitter earlier this month. They will be caught!

The hunt for leaks has swept up the White House communications staff, where Spicer has begun quietly cracking down on the use of encrypted apps. POLITICO reported Sunday that Spicer recently checked White House staffers phones and warned them against using apps like Confide, which deletes messages as soon as theyre read, and Signal, which also has an optional setting to automatically delete messages.

The crackdown came after some political appointees in Trumps White House began using the encrypted apps so they can have covert conversations with journalists and their colleagues. But it remains unclear if top White House officials can completely halt the use of the apps. And at least some staff were still using them as of earlier this month, sources say.

"To my knowledge, no one in the [White House] is using the Confide app or any other similar app and we go to great lengths to preserve all records," a White House official told POLITICO in an email late last week.

However, a BuzzFeed reporter determined that Spicer and White House aide Hope Hicks had once downloaded the Confide app, the site reported this month after using a feature that lets users find contacts who have already signed up. Spicer told BuzzFeed he used Confide only once "months ago."

The White House official told POLITICO that Hicks "does not use the app and deleted it from her phone." The official did not respond to follow-up questions about how the White House knows other staff aren't using the app.

Trump staffers are keenly aware of the risks of their internal communications going public, having faced widespread leaking from their own ranks during the campaign and having seen the damaging fallout from last year's dumps of hacked emails from Democrats such as Clinton campaign chairman John Podesta.

Yet ethics experts argue that the use of encrypted messaging apps by White House staff for official business would be a clear violation of the law. "At a minimum, the White House ought to explain what record preservation steps it is taking," said Norm Eisen, former ethics czar under ex-President Barack Obama and co-founder of the group Citizens for Responsibility and Ethics in Washington. "If they refuse to answer those questions, it is fair to assume they are at risk of violating the law."

For both the Trump team and the career employees, encrypted apps like Signal, WhatsApp, Confide and Wickr make it easier to communicate in secret by leaving would-be snoops with unreadable strings of text thwarting any hackers or government investigators who might get hold of the messages. Thats on top of the strong encryption offered by devices such as the latest iPhones, which the FBI has complained it cant crack even in drug or terrorism investigations.

Its unclear whether the career employees are breaking any laws. While it is illegal for federal employees to hold secret discussions to conduct government business, several workers insisted in interviews that they use the apps only for personal communications.

A spokeswoman at the National Archives, which maintains the governments records, said in an email that personal opinions by and between agency employees, even about senior agency officials, would not likely meet the definition of a federal record that must be preserved.

But experts say the nature of encryption technology makes it difficult to tell what the employees are discussing. Conservative groups are exploiting that fact to target federal workers who are critical of Trump.

"Any effective regulation of federal employee behavior is heavily predicated on learning that that misconduct has occurred, said Dan Metcalfe, the former director of the Justice Departments Office of Information and Privacy, who spent more than two decades guiding federal agencies on Freedom of Information Act issues. Thats the only way you can regulate it after the fact.

White House staffers are bound by the Presidential Records Act, a post-Watergate law that requires the preservation of official government records. It allows public access to those documents after a waiting period that can stretch from five to 12 years.

Other federal employees must abide by the Federal Records Act, which similarly requires the preservation of government documents. But the law allows more speedy public access to those documents through Freedom of Information Act requests.

The Federal Records Act was amended in 2014 to include all electronic messages, including text messages, voice mails and messaging apps. July 2015 guidance to federal agencies from the National Archives specifically mentions WhatsApp as an example of an application whose messages must be preserved if they pertain to government business.

But even if the technology is new, attempts to skirt federal records laws arent.

This is just another variation on the theme, Fitton said about the use of encrypted messaging apps to communicate. Its not a new issue issue. Its just a new flavor. It doesnt matter the technology because the agencies are required to maintain these records. You can delete text messages and emails too.

Staffers in Republican and Democrat administrations alike often keep sensitive information out of emails, preferring phone conversations, which largely arent subject to record keeping laws. The Reagan, George H.W. Bush and Clinton administrations strongly resisted calls to preserve their email records (the Reagan White House adopted a rudimentary form of email in the 1980s), resulting in a years-long legal battle.

George W. Bush administration officials faced criticism for using non-government email accounts. And Obama administration officials were caught using alternative email addresses that obscured their identities.

Indeed, resistance to preserving records dates back to the early days of the country. Martha Washington and Thomas Jefferson famously burned their correspondence with their spouses, for example, keeping many of their private thoughts out of reach of later generations.

But the wide availability of encrypted messaging makes secrecy easier than ever.

Its certainly easier to circumvent public records laws in a written format now than it ever has been, said Mark Rumold, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit group that pushes for government transparency.

Republicans in Congress are increasingly frustrated, worrying that career employees are secretly undercutting Trumps policies.

After POLITICO reported this month that several EPA employees were using Signal, House Science Chairman Lamar Smith (R-Texas) asked the agencys inspector general to look into the issue. Several right-leaning groups have filed FOIA requests seeking EPA employees communications using Signal.

But Smith and other Republicans have not publicly committed to investigate encryption at the White House. A spokeswoman for Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight Committee, declined to comment when asked whether he is looking into the issue.

Some Democrats counter that federal workers should be protected, citing whistleblower laws that shield workers from retribution if they report law-breaking or gross mismanagement.

Reps. Ted Lieu (D-Calif.) and Rep. Don Beyer (D-Va.) even released a guide that underscores federal workers rights. The guide appears to endorse the use of encrypted apps, calling them a safe bet.

In an interview, Lieu said, I just want to make clear to federal employees, Congress passed an entire law protecting whistleblowers."

Tim Starks contributed to this story.

Read more here:
Trump inspires encryption boom in leaky DC - Politico

Google

Google has announced that E2EMail, an experimental end-to-end encryption system, has now been given to the open-source community with no strings attached.

Whether you are concerned about government surveillance and spying, man-in-the-middle (MiTM) attacks by threat actors or you are an enterprise player with the need to keep communications as secure and private as possible, end-to-end encryption is viewed as a method to prevent snooping.

Not every email service provider offers end-to-end encryption -- the best-known being PGP -- although, in the wake of former NSA contractor Edward Snowden's disclosures concerning the mass-spying efforts of the US government, more services have popped up or increased in popularity, including ProtonMail, Wire, WhatsApp, and Signal.

As we become more concerned with digital threats and surveillance, everything from email services to apps and social network chats is being locked up with cryptographic methods.

However, end-to-end encryption is yet to reach a wider audience -- and this is where Google intends to make a difference.

Last week, Google engineers KB Sriram, Eduardo Vela Nava, and Stephan Somogyi said in a blog post that as part of the tech giant's End-to-End research efforts, E2EMail is going open-source.

Built on the Javascript crypto library developed at Google, E2EMail offers a way to integrate OpenPGP into Gmail via a Chrome Extension while keeping cleartext of messages exclusively on the client.

Google is keen to emphasize that E2EMail is not a Google product, but thanks to the efforts of security engineers from across the spectrum, it is now a "fully community-driven open-source project."

The current form of E2EMail is rather bare when it comes to keyserver testing. However, Google's Key Transparency, made available earlier this year, may improve the security of the service far beyond its current incarnation.

"Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced," Google's engineers say. "Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP."

"We look forward to working alongside the community to integrate E2EMail with the Key Transparency server, and beyond," the team added.

See also: Linus Torvalds on SHA-1 and Git: 'The sky isn't falling'

If you're interested, you can check out the e2email-org/e2email repository on GitHub.

Last week, Google gave the "Upspin" project to the open-source community. Upspin aims to reduce the fragmentation of current services such as Dropbox, Google Storage and Apple's iCloud and the amount of time wasted on "multi-step copying and repackaging" by creating a global namespace for files. Upspin is a set of protocols and standards which puts secure sharing at the forefront and is enabled with end-to-end encryption by default.

See the original post:
Google End-to-End encrypted email code goes open-source - ZDNet

Every company I speak with is throwing the kitchen sink at protecting their network from external attackers, data breaches and mobile device loss. At the heart is the fundamental point that we all must accept: that where once corporate data sat ring-fenced on a server, it is now dispersed geographically, across many different devices, and moving all the time.

As IT and security professionals we keep battling with the need to keep the drawbridge down, but stop the baddies getting in, and ensure soldiers (data) outside the castle walls are safe.

Encryption has played a key role in protecting data for a long time. Thousands of years before the computer appeared there were Hebrew mono-alphabetic substitutions, and of course the use by the Romans of ciphers, being just a couple of examples. Yet despite its clear benefits in protecting against prying eyes, for a long time it fell out of favor.

Certainly, in early computing it was a complete pain to work with, and some might use stronger language than that! Whilst vendors eventually got their heads around making it more usable, the world moved on, and the problem is no longer simply about protecting data at point A.

Precisely because of the problems we laid out earlier the need to manage encryption across devices, locations and users have become an IT imperative. Any security professional knows that complexity leads to risk, and that spells danger for the enterprise. Not just from invaders, but risks of regulatory non-compliance, accidental data breaches, or simply the loss of a smartphone.

The challenge therefore has become to simplify the security landscape in the organization, without compromising on protection. In the case of encryption, this means being able to manage encryption across on-premise, cloud, hybrid-cloud and a myriad of devices, as well when it is with users who may not belong to your company.

Centralized encryption management solves the problem by ensuring keys are controlled from one point, and more importantly the keys themselves are stored outside the organization: after all there is no point locking your data in a box, but leaving the key in the lock!

This alone is not enough in the modern enterprise, you need to be able to manage that same encryption across cloud services, virtual machines and resources that you do not own. Its important to ensure that when you look at choosing an encryption provider that you consider this reality, otherwise you leave yourself greatly exposed.

Encryption is here to stay, it is the last line of defense when a breach occurs, whatever action caused it, invader or accident. With so much at stake for a business in terms of reputation damage, regulatory fines, and ultimately the bottom line, centralized encryption management is the route to bringing clarity to effective encryption. Remember, nobody ever got fired for implementing encryption, but they probably did for mismanaging it.

Read the original:
Decipher your Encryption Challenges - Infosecurity Magazine

Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics. (Source: Reuters)

Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics and using them in an unauthorised manner, it was UIDAI that discovered the irregular transactions and reported them to the Delhi Polices cyber cell and, pending a probe, all transaction requests from these organisations have been put on hold. If the UIDAI system is able to detect fraud, as the banks did when they found millions of debit/credit cards had been compromised due to a faulty switch in a payments gateway some months ago in India, presumably that would mean it was working well. Under normal circumstances, as a safety feature, every time a transaction is made like withdrawing funds from a bank and UIDAI replies to an authentication request, an SMS/email alert is sent to the subscriber.

So, why didnt UIDAI send out alerts this time around when, going by a report in The Times of India, one individual performed 397 transactions, many of which were based on biometrics that were stored locally and bunched during one week in January? Is this an example of Aadhaar being open to misuse since banks, etc, can store your biometrics and use them to illegally authorise transactions later? There have also been reports of one website publishing Aadhaar data of 500,000 minorsthis, of course, is a list of names and matching Aadhaar numbers, but does not have actual biometricsand of white-hat hackers generating iris scans from high-resolution photographs and even the possibility of data being compromised since Aadhaar registrations/verifications are typically done by several private firms.

First, as UIDAI officials point out, since the individual doing the transactions was using his own Aadhaar number, the alerts went to himto that extent, the systems first fail-safe worked. Had the stored biometrics belonged to someone else, say a reader of this newspaper, she would have got the SMS/email alerts and would have escalated matters. Two, since the authentication request, and the reply, are encrypted at a 2048-bit levelnormal encryption levels are 128 or 256UIDAI officials argue this makes the system very safe from hacking. But what of cases where the biometrics are stolen, or generated from high-resolution photographs, and then stored locally? Since security has to be an evolving feature, designed to beat threats as they occur or before they do, UIDAI plans to introduce the concept of registered devices.

You might also want to see this:

For the last few months, UIDAI has been working with vendors of biometric-capture devices to get them to install an Aadhaar-encryption key in the hardware itselfamong other things, it ensures the biometric data used is captured live and is not stored data. Last month, it was notified that, after May, no data requests will be entertained if they come from unregistered devicesexisting biometric devices, such as those in ration shops already, are to be upgraded through software right now and those bought in the future must have the necessary pre-installed keys. It is certain criminals will find smarter ways to beat the system, and UIDAI will have to keep evolving to heighten securityto the extent some beat the system, or try to, as happens in the case of bank frauds, the criminal justice system has to be used to punish them.

Please Wait while comments are loading...

Follow this link:
Axis Bank case: To make Aadhaar safe, encryption devices coming soon, more in store - Financial Express

Encryption could soon become part of national debates over consumer issues ranging from data breaches to the safety of connected cars.

Not long ago, it was the sort of thing that only bankers, spies, and military leaders worried about. But, in today's digital world, encryption has become part of our everyday lives, protecting our ability to shop online, book flights, and hold private conversations.

According to Mozilla, the open-internet advocacy group that created the Firefox browser, 49.5 percent of global web traffic is now encryptedan increase of more than 10 percent in one year.

While security experts applaud that progress, they'd like to see even more encryption, to cut down on data breaches, identity theft, and the sort of hacks that could perhaps threaten the nation's power plants.

But not everyone views encryption as a force for good. For law enforcement officials, it's also a tool that allows thieves and terrorists to escape detection.

With a new administration in the White House, one vocal about fighting crime and stamping out terrorism, the debate over encryption's merits may soon surface once again.

Encryption may be central to many everyday transactions, but the issues can be tough to follow. Heres your cheat sheet.

Excerpt from:
Your Guide to the Encryption Debate - Consumer Reports - ConsumerReports.org

Breaking SHA-1 has been a goal of security users for quite a while, so it's quite a feather in Google's cap to be first. (It's possible, though, that the NSA, Russians or others have had one that they've kept under wraps.) The team said that the collision "is one of the largest computations ever completed," so Google's cloud infrastructure was an indispensable part of that.

There's no great danger for users. Google Chrome, Microsoft's Edge, Firefox and all other major browsers flag HTTPS sites that use SHA-1 as insecure with a big red warning -- so very few use it for verifying digital content. The team won't release the attack (Dad-jokingly called "SHAttered") for 90 days, in order to give affected sites time to deal with it.

Also, even though Google has made it 100,000 times faster to crack an SHA-1 certificate, it would still require some serious computing horsepower to do so. Google says it requires 12 million GPUs a full year to brute force a certificate, while the SHA-1 "Shattered" attack takes just 110 GPUs. For now, however, you'd still need a supercomputer or server farm (or a bot farm) to crack one in a reasonable amount of time.

As a proof of concept, Google is hosting two PDFs with the different content but the same hash, and has supplied the public with a free detection app. It had a lot of motivation to be first with a collision. It led the movement to deprecate SHA-1 because it's advertising business relies heavily on secure sites and ad platforms -- making the discovery a giant "I told you so" of sorts.

Read more from the original source:
Google helps put aging SHA-1 encryption out to pasture - Engadget

People who take computer security seriously will acknowledge they need to encrypt data and create regular backups. Luckily, there are quite a few solutions that allowfor both things at the same time. Below is a brief list of tools specializing in data encryption. Do keep in mind this list is not complete, but merely serves as an indicator asto what one should look for in such a software solution.

Encrypting computer data and protecting the device in question can all be achieved by using the Digital Guardian software kit. Keeping sensitive information safe from harm is thenumber one priority. Moreover, the toolkit focuses on data activity and enforcing user policies. This is a quite powerful solution for both consumers and enterprises, albeit it is more tailored towards the latter.

Kryptel is one of the many consumer-oriented encryption tools that provides a lot of convenience. In a matter of a few clicks, users can easily encrypt thousands of files on their personal computer. Data-wiping security can be enabled as well, which may be a nifty feature for some users. The free tool offers all of this functionality, whereas the paid version adds a command-line interface and encrypted backups.

Open-source solutions in the way of data encryption are not hard to come by, yet few of them make a big name for themselves. Ciphershed is one of those rare exceptions, which is completely free of charge to use. It is capable of encrypting files and entire drives, as well as removable storage. It includes a wizard guiding both novice and advanced users through this entire process, which is appreciated by a lot of people. It is a very potent solution that will suit most peoples needs.

Three different versions of SecureDoc exist in the world today, one of which is designed specifically for the Windows operating system. SecureDoc offers encryption tools for computers, laptops, and removable media. Users can encrypt files, folders, and entire disks in a matter of clicks. The companys other two solutions focus on the Enterprise and Cloud sector, which are worth checking out as well.

Another open-source program available to consumers around the world goes by the name of AES Crypt. With a 256-bit encryption algorithm, AES Crypt is one of the most powerful free solutions to date. Encrypting data requires a file name and password, which is also used for decrypting information later on. AES Crypt works across Windows, Linux, and Mac OS X devices, AES Crypt has become somewhat of a standard among computer users over the past few years.

Last but not least, there is the VeraCrypt open-source encryption solution. Its main purpose is to protect files and computer systems against data theft and information leaks, both of which are very common threats these days. VeraCrypt can be used to encrypt hard drive partitions, as well as the entire system. Moreover, it is a powerful brute-force attack solution, which can go a long way in this day and age of cyber crime.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

More:
Top 6 Data Encryption Solutions - The Merkle