Chinas web censorship machine, the Great Firewall, has a more offensive brother, researchers have declared today. Called the Great Cannon by Citizen Lab, a research body based at the University of Toronto, it can intercept traffic and manipulate it to do evil things.

In recent distributed denial of service (DDoS) attacks on code repository Github, the Great Cannon was used to redirect traffic intended for Baidu Baidu, the equivalent of Google Google in China, to hit two pages on the target site, including one that provided links to the Chinese-language edition of the New York Times. GreatFire.org, a website dedicated to highlighting Chinese censorship, was hit by a similar attack.

The Great Cannon only intercepts traffic to or from a specific set of targeted addresses, unlike the Great Firewall, which actively examines all traffic on tapped wires going in and out of China. According to Citizen Lab, in the recent DDoS hits, it intercepted traffic going to Baidu, and when it saw a request for certain JavaScript files on a Baidu server, it appeared to either pass the request on unmolested, as it did for 98 per cent of connections, or it dropped the request before it reached Baidu and sent a malicious script back to the requesting user, as it did nearly 2 per cent of the time. That malicious script would fire off traffic to the victims servers. With so many users redirected to the targets, the internet pipes feeding Github and GreatFire.org were clogged up, taking them offline. It was an effective, if blunderbuss, approach to censoring the targets.

A Baidu paper cup is seen on a table at the Baidu headquarters building in Beijing on December 17, 2014. Baidu visitors were used in recent attacks on Github and GreatFire.org AFP PHOTO / Greg BAKER (Photo credit should read GREG BAKER/AFP/Getty Images)

But, as the researchers noted, the Great Cannon could be abused to intercept traffic and insert malware to infect anyone visiting non-encrypted sites within the reach of the attack tool. That could be done, said Citizen Lab, by simply telling the system to manipulate traffic from specific targets, say, all communications coming from Washington DC, rather than going to certain sites, as in the abuse of Baidu visitors. Since the Great Cannon operates as a full man-in-the-middle, it would also be straightforward to have it intercept unencrypted email to or from a target IP address and undetectably replace any legitimate attachments with malicious payloads, manipulating email sent from China to outside destinations, Citizen Lab added in its report released today.

The Great Cannon is not too dissimilar to QUANTUM, a system used by the National Security Agency and the UKs GCHQ, according to the Edward Snowden leaks. So-called lawful intercept providers, FinFisher and Hacking Team Team, sell products that appear to do the same too, Citizen Lab noted.

But theres one simple way to stop the Great Cannon and the NSA from infecting masses of users: encrypt all websites on the internet. The system would not be able to tamper with traffic that is effectively encrypted. The SSL/TLS protocols (which most users commonly use when on HTTPS websites rather than HTTP) drop connections when a man-in-the-middle like the Cannon is detected, whilst preventing anyone from peeking at the content of web communications.

There are some significant projects underway designed to bring about ubiquitous web encryption. Just this week, the Linux Foundation announced it would be hosting the Lets Encrypt project, which seeks to make SSL certificates, which website owners have to own and integrate into their servers to provide HTTPS services, free and easy to acquire. It should be possible to grab these simple and (hopefully) secure certificates from mid-2015, though Josh Aas, executive director at the the Internet Security Research Group (ISRG), which runs Lets Encrypt, would not say when exactly. It has some serious backers, including Akamai, Cisco, Electronic Frontier Foundation and Mozilla.

Its unclear whether Lets Encrypt would provide certificates to Chinese sites. The default stance is that we want to issue to everyone but we will have to comply with US laws our legal team is looking into it.

Read the rest here:
Another Reason For Ubiquitous Web Encryption: To Neuter China's 'Great Cannon'

Last week, FBI Director James Comey once again campaigned for backdoors into the encryption programs of tech companies, writes Sunday Yokubaitis at the Daily Dot.

Tech execs say privacy should be the paramount virtue, he told the House of Representatives Appropriations Committee. When I hear that, I close my eyes and try to imagine what the world looks like where pedophiles cant be seen, kidnappers cant be seen, [and] drug dealers cant be seen.

The United States government is playing to fear, uncertainty, and doubt. The reality is the government already collects a tremendous amount of personal data about its citizens through the location data our phones give away, National Security Agency metadata programs and online shopping habits without our consent.

Encryption is how privacy-conscious Internet users fight back against the unblinking eye of government mass surveillance and protect themselves online. Even if the NSA can break some encryption technologies, were at least making it harder and more expensive for them to track law-abiding citizens en masse. When Comey asks for backdoors, he is really just asking to make his job easierwith dubious benefits and very serious risks.

We must protect encryption because backdoors are inherently insecure.

Todays Question: Is encryption the Second Amendment for the Internet?

Excerpt from:
Is encryption the Second Amendment for the Internet?

Download ActiveX PGP Encryption/Decryption DLL
Download ActiveX PGP Encryption/Decryption DLL Download link: http://bit.ly/1Im3KUe Integrate enterprise quality PGP methods into your application. Download and install easily, with detailed...

By: Amanda Gunnell

Read the original post:
Download ActiveX PGP Encryption/Decryption DLL - Video

In the wake of the revelations that intelligence agencies have been engaged in mass surveillance activities, both industry and society at large are looking for practicable encryption solutions that protect businesses and individuals. Previous technologies have failed in practice because they were too expensive or not user friendly enough. Fraunhofer has launched an open initiative called "Volksverschlsselung" with the aim of bringing end-to-end encryption to the masses. Fraunhofer researchers will be presenting a prototype of their easy-to-use software and the infrastructure concept behind it at CeBIT 2015 .

Encryption is the most effective antidote to unwarranted, mass surveillance of people, companies and authorities. Although there are any number of computer programs designed to, say, make e-mail communication more secure, most people find them to be too much of a hassle. This is why the German government made establishing universal and easy-to-use encryption part of its Digital Agenda. A research team from the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt developed a public encryption concept that factors in user friendliness from the outset. The software automatically installs the cryptographic keys in the right places on your computer. The researchers are also working on an infrastructure that will be available to everyone and is compatible with existing encryption services.

"With this initiative and what it's developing, Fraunhofer is supporting the German government's efforts to better protect people and companies," says Prof. Michael Waidner, Head of Fraunhofer SIT. This is why "Volksverschlsselung" is to be made available as open-source software.

Key allocation for beginners

The software is the centerpiece of the solution. It relieves the user of the previously difficult task of allocating keys by recognizing which applications -- different e-mail programs, for example -- on your computer, smartphone or tablet can use cryptography and automatically allocates the right key to each one. The software also generates cryptographic keys that can be used to encrypt e-mails or files.

If you want to send someone an encrypted e-mail, you need the public key. In the "Volksverschlsselung" model, you can obtain this from the central infrastructure. "It works like a phone book," says project manager Michael Herfert. "Anyone can look up and download public keys. The central infrastructure also ensures that the keys actually belong to the person requesting them and helps prevent identity fraud." At CeBIT 2015, Fraunhofer researchers will demonstrate how people can register using the eID function of the German identity card. Other ways of registering are to be made possible in the future. To make it possible for a vast number of people to use the "Volksverschlsselung" infrastructure, it would ideally have to be set up to handle several million keys. This calls for an infrastructure that is as efficient as it is secure. The current plan is to install the infrastructure on a high-security server at the Fraunhofer Institute Center in Birlinghoven near Bonn, and other trusted partners will also be able to participate soon.

Companies also stand to benefit from the results of the "Volksverschlsselung" project -- especially from the software. Solutions developed as part of the project could help small and medium-sized enterprises in particular by making it easier for them to implement encryption and thus better protect trade secrets.

The researchers will be presenting a prototype of the software at CeBIT 2015 in Hannover from March 16 to 20. This version of the software is designed for Windows desktop computers, but further versions for other operating systems and mobile devices are in the pipeline. The research team is also working on various add-ons, including one that supports ad hoc encryption.

Story Source:

The above story is based on materials provided by Fraunhofer-Gesellschaft. Note: Materials may be edited for content and length.

Read the original here:
Encryption for everyone

In Silicon Valley, the recruiting game is extremely competitive, according to Ron Harrison, founder of Jivaro Professional Headhunters, a specialist in placing technology candidates.

In some cases, Harrison said the difference between getting nothing and a US$30,000 fee has come down to the few slim minutes between when one recruiter sent a resume to a company and a competing recruiter did.

Its a dirty business, Harrison said in a phone interview.

Recruiting is complicated by the fact that companies may share resumes, even if the receiving company isnt a client of the recruiter. Essentially, it means a recruiter loses its intellectual property through a gaping hole: an unencrypted document can be sent to anyone.

But Harrisons company is one of 10 trying software from a startup named Vera that aims to lock down documents transferred over email or other file-sharing services such as Box or Dropbox.

Cofounder Ajay Arora said Vera addresses a common enterprise problem: once a document leaves a companys network, its just out there for anyone to see who receives itor intercepts it.

While there is a lot of software out there that tackles this problem, Arora said he wanted to create a product that is very easy to use and doesnt interrupt the workflow of employees. Harrison, for example, said he was up and running in a few minutes with Vera, and it was easy for his employees to use.

With a right click on a file, a set of policies can be attached to, for example, a resume. The resume is encrypted, with the decryption key passed only to the authorized recipient, who doesnt have to install Veras software.

The document wont open if it is forwarded to someone else. It can also be time-bombed, or locked up after a predetermined amount of time, or blocked from being printed. Copy-and-pasting can also be stopped.

Vera uses AES 256-bit encryption to scramble a file, and then puts a metadata wrapper around it that contains the policies attached to it. The metadata wrapper phones back to Veras servers to make sure the authorized recipient is opening it, and then a symmetric key is securely transferred from Veras servers to the recipient to decrypt it, Arora said.

Excerpt from:
Encryption startup Vera locks down transferred documents

Summary:The latest Firefox browser update has created a web encryption security hole for hackers to exploit.

Mozilla's Firefox has received a new update to patch a web encryption flaw which could allow malicious websites to bypass certificate verification checks.

Last week, Mozilla introduced Firefox 37.0, which included support for HTTP/2, an Internet standard which allows for web connections to be encrypted even when HTTPS is not supported. One feature is HTTP Alternative Services -- otherwise known as Alt-Svc -- which forces end-to-end encryption between pages through redirection protocols.

Alt-Svc communicates with your PC or mobile device, offering an alternative way to access a web page. Instructions then can be sent in order to perform "opportunistic encryption," which forces through basic encryption protocols when visiting a website. It is not as secure as HTTPS, but is certainly an improvement on today's HTTP, which is the most commonly used communication channel on the Internet.

Unfortunately, while the latest Firefox update was designed to improve basic security, it also introduced a new, critical bug which allowed a researcher to find a way to bypass certificate verification if a web server redirected visitors through the HTTP/2 system.

In a basic security advisory provided by the Mozilla Foundation, the security flaw was deemed "critical." The bug, exploited through the HTTP/2 Alt-Svc header -- within Mozilla's Alternative Services implementation -- allowed for SSL certification verification to be bypassed.

As a result, invalid SSL certificate warnings would not be displayed and a hacker could potentially use a man-in-the-middle (MITM) attack to impersonate legitimate websites with the overall aim of luring victims to malicious pages, which could then be used to steal data or deliver malware payloads.

Cyberattackers could, for example, hijack the connection which looks legitimate thanks to Alt-Svc and send a victim to a phishing site masquerading as their bank, and users may not find anything amiss -- as invalid certificate warnings would not be displayed.

As reported by the Sophos Naked Security team, the bug was rapidly discovered and fixed. The team also noted that HTTP/2 isn't yet finalized and is not widely used. However, it is on its way to adoption through support by web servers including Apache, Nginx and Microsoft's IIS (Internet Information Servers) in Windows 10 Preview.

Go here to see the original:
Mozilla pushes out fix for Firefox opportunistic encryption flaw

DUBLIN, Apr. 08, 2015 /PRNewswire/ --Research and Markets

(http://www.researchandmarkets.com/research/kcd8bk/global_encryption) has announced the addition of the "Global Encryption Software Market 2015-2019" report to their offering.

The Global Encryption Software market to grow at a CAGR of 17.36% over the period 2014-2019

Encryption is a technique that secures data by converting plain text into a cipher format during transmission through the internet. The process uses mathematical algorithms that convert the information into an undecipherable format that can only be accessed using a secret code. The strength of an encryption code is measured by its length, which is determined by the number of bits used, as it is directly proportional to the number of possible codes or combinations. Though the primary goal of an encryption software is to encrypt and decrypt data, it also includes features such as shredding.

One key trend upcoming in this market is increased adoption of the BYOD policy. Most enterprises in developing countries and SMEs cannot afford expensive on-premises encryption software solutions. Hence, they are adopting BYOD solutions, which can manage their business operations and provide secure access to data from any place with less capital investment.

According to the report, increase in the number of data breaches is a key driver of the market. Organizations are increasingly focusing on securing critical data and improving customer satisfaction. Encryption software provides organizations with various regulations that help to reduce the number of breaches, driving the demand for encryption software solutions.

Further, the report states that one major challenge in the market is the complexity of encryption. For encryption, algorithms convert data into an encoded format. However, different types of encryption use different amounts of space to store data, and managing with less space in less time can become complex with the increasing demand for encryption solutions. Regulatory restrictions are also hindering the growth of the market.

This report covers the present scenario and the growth prospects of the Global Encryption Software market for the period 2015-2019. To calculate the market size, the report considers revenue generated from encryption software, solutions, tools, applications, services, support, and maintenance.

The report also presents the vendor landscape and a corresponding detailed analysis of the six major vendors in the market. It provides a geographical segmentation of the market for 2014 and details of the major drivers, challenges, and trends in the market. It also provides a segmentation based on data usage, applications, and end-users in the market. Key Vendors

Other Prominent Vendors

Read the original:
Global Encryption Software Market 2015-2019 - Increased Adoption of BYOD with Check Point Software Technologies, Cisco ...

The "opportunistic encryption" feature added to Firefox last week has been disabled to fix a critical security bug that allowed malicious websites to bypass HTTPS protections, Mozilla officials said.

Now, Mozilla developers have disabled opportunistic crypto in the just-released Firefox 37.0.1 after they discovered that the implementation released last week introduced a critical bug. The vulnerability, which resides in functionality related to opportunistic crypto, in some cases gave attackers an easy way to present fake TLS certificates that wouldn't be detected by the browser. The flaw in the HTTP alternative services implemented in version 37 could be triggered by a malicious website by embedding an "Alt-Svc" header in the responses sent to vulnerable visitors. As a result, warnings of invalid TLS certificates weren't displayed, a shortcoming that allowed attackers with a man-in-the-middle position to impersonate HTTPS-protected sites by replacing the original certificate with their own forged credential.

"There was a Firefox implementation problem with Alt-Svc," Chad Weiner, Mozilla's director of product management, wrote in a statement sent to Ars. "Opportunistic Encryption is a related, but separate, feature that depends on Alt-Svc. Opportunistic Encryption was disabled because of its use of Alt-Svc. We plan to re-enable this feature once weve had time to fully investigate the issue."

Mozilla provided a bare-bones description of the vulnerability here. In a post published Tuesday, the Sophos Naked Security blog offered a more thorough description of the bug and the risk it posed:

A security researcher worked out a way to bypass HTTPS certificate validation if a web server redirected you via the Alt-Svc header.

That's very bad, and here's why.

If you had a phishing site that pretended to be yourbank.example, and handled HTTP connections directly, you'd have difficulty presenting a legitimate-looking connection.

You'd either have to use HTTP and hope your victims wouldn't notice the lack of a secure connection, or use HTTPS and hope they wouldn't notice the certificate warnings telling them that you probably weren't the lawful owner and operator of the yourbank.example domain.

Some users would probably end up getting tricked anyway, but well-informed users ought to spot the ruse at once, and remove themselves from harm's way.

But this Alt-Svc bug could be used by crooks to redirect victims to a secure connection (thus making the connection "look right") without producing a certificate warning to say that the site looked like an imposter.

Original post:
Firefox disables “opportunistic encryption” to fix HTTPS-crippling bug

The new Vormetric Cloud Encryption Gateway will encrypt data before it is put into cloud storage.

Vormetric has announced the release of the Vormetric Cloud Encryption Gateway, which extends the company's data security platform with protection for data in cloud storage environments.

The new product is designed to make sure that the use of cloud storage solutions can be fully embraced without the fear over lack of security controls for regulated and sensitive data.

The Cloud Encryption Gateway offers organisations compliant Box and S3 services to both employees and partners.

Garrett Bekker, senior analyst in the information security practice at 451 Research, said: "Unstructured data has no permanent home. Depending on the latest 'project du-jour' it can live in an on-premise data centre, a big-data repository, and increasingly in the cloud within popular SaaS apps or file synch-and-share (FSS) offerings like Box."

"However, the cloud security marketplace is currently composed of mainly point products that address only a few of these potential scenarios. Vendors who can address a wide range of use cases and address both cloud and on-premise repositories of unstructured data should be well received by enterprise customers."

One of the benefits of this new platform is that it encrypts data before it is saved to cloud storage, while the encryption keys and access policies are under enterprise control.

The main components of the product are that it provides encryption and policy enforcement and it is paired with a Vormetric Data Security Managment.

These will both be available as virtual appliances and the DSM can also be deployed as a FIPS 140-2 Level 2 or Level 3 certified hardware appliance.

Derek Tumulak, VP of product management for Vormetric, said: "Enterprise users love cloud file storage and sharing solutions, but in using them often violate IT security and compliance rules. IT organisations can take back control by offering users the services they want, but in a way that meets enterprise security needs."

Go here to read the rest:
Vormetric secures AWS S3 & Box data

Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation.

A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption.

Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances.

Mozilla correctly labels Firefox 37.0.1 as a critical update.

Opportunistic encryption offers some basic encryption of data previously sent as clear text. The vulnerability arises in security flaws within the Alternative Services capability that underpins opportunistic encryption.

The CVE-2015-0799 bug in Mozilla's HTTP Alternative Services implementation discovered by security researcher Muneaki Nishimura left surfers vulnerable to man-in-the-middle attacks that involved hackers impersonating genuine sites.

Normally, the fake certificate hackers try to fool surfers with (in such cases) would generate warnings.

However, these certificate warnings would fail to appear, leaving surfers without a clue that anything was amiss, as a security advisory by Mozilla explains.

If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server.

As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MITM), replacing the original certificate with their own.

More:
Can't patch this: Mozilla pulls encryption feature after just a WEEK