Summary:UPDATED: The search giant will let phone makers decide whether or not to enable encryption-by-default because of performance issues on older devices.

(Image: CNET/CBS Interactive)

Phones and tablets running Android "Lollipop" will not have device encryption switched on by default, despite an earlier promise by the software maker.

Ars Technica first reported Monday the company's move to reverse its policy. Although all phones and tablets running Android "Lollipop" will support encryption, it will be the responsibility of the phone or tablet maker to decide how to implement it.

13 best privacy tools for staying secure

From encrypted instant messengers to secure browsers and operating systems, thees privacy-enhancing apps, extensions, and services can protect you both online and offline.

In an email to ZDNet, Google confirmed the decision. Instead, encryption by default will be reserved for "future versions" of the mobile operating system.

Update: A Google spokesperson confirmed the reason in an email was "due to performance issues on some Android partner devices," adding: "We remain firmly committed to encryption because it helps keep users safe and secure on the web."

Although all phones and tablets running Android "Lollipop" will support encryption, it will be the responsibility of the phone or tablet maker in how to implement it.

For now, only Google's-own Nexus 6 phone and Nexus 9 tablet have device encryption enabled by default when the device is first switched on.

Link:
Google reverses its promise to enable encryption by default in Android Lollipop

Summary:Terrorist groups such as ISIS and Al Qaeda have something in common -- they are using encryption tools which are not worthy of the name.

CANCUN, MEXICO: Are encryption tools used by terrorist organizations truly secure, or are they nothing more than a publicity stunt?

"Terrorists love forums," Rodrigo Bijou from data solutions provider The Data Guild said with a slight shrug as he addressed attendees at Kaspersky Labs' Security Analyst Summit. On Tuesday, the terrorism and technology speaker said that throughout his research, online forums have become a modern-day breeding ground for the spread of terrorist-based propaganda -- as well as a place to share "secure" encrypted communications tools used by groups including ISIS and Al Qaeda. The Data Guild

However, the actual security value of these tools is debatable -- and so could they have another purpose altogether?

The use of technology by terrorists is far from a new idea. For example, while some groups do rely on trusted couriers to send messages, now they have caught up with the times and have seen the potential the Internet holds to spread their message, recruit new members and communicate with each other.

Groups such as ISIS and Al Qaeda are known to use the Web for these purposes. However, they have also developed their own encryption-based toolkits to try and keep their activities from the eyes of intelligence agencies and governments across the globe.

Three main developers of secure, encrypted communications tools have been linked to terrorist organizations. The Global Islamic Media Front (GIMF) and Al-Fajr Media Center Technical Committee (FTC) -- both propaganda and media arms linked to Al Qaeda -- and ISIS -- as a developer itself of security tools -- have all created supposedly secure, encrypted messaging platforms -- but there is a problem.

ISIS does not trust the others, and due to this political conflict, the platforms are sub-par at best. Perhaps happily for us, this lack of trust ensures that none of the groups are pooling their resources to improve terrorism-based communication software.

Al Qaeda, for example, has a flagship communications tool called Asrar al-Mujahideen, launched in 2008. The GIMF software comes pre-loaded with a public encryption key and according to their website, the software provided follows the "latest technological advancements" with "4096 bit public key encryption" for use on the Windows and Android platforms.

Another GIMF tool released in 2013 is the Asrar al-Dardashah encrypted chat plugin, suitable for Symbian and Android and designed to encrypt data across chat apps already in use.

Read the rest here:
Terrorist encryption tools nothing more than 'security cape' and gov't red flag

Summary:A Wednesday press conference will aim to quell fears that the UK and US intelligence agencies have unfettered access to our mobile devices and phone calls.

Billions of SIM cards are said to be affected by the Gemalto hack (Image: CNET)

The Gemalto encryption key "heist" may be one of the biggest breaches of corporate data conducted by an intelligence agency to date.

The attack, first reported by The Intercept, showed how the UK and US intelligence communities stole encryption keys to millions of SIM cards, used by dozens of cellular networks in the US and around the world, for contactless payment systems, biometric passports, and credit and debits cards.

The story was based on documents leaked by whistleblower Edward Snowden.

In an effort to quell initial fears, the targeted company said in a statement Monday that its initial conclusions suggest its SIM products are "secure," but did not elaborate further.

Gemalto will hold a press conference on Wednesday (10:30am local, 4:30am ET) where we'll discover more. Gemalto is expected to reveal more from its investigation. (We'll have more then.)

These are the questions the company will have to answer.

1. Obama says US government doesn't listen to phone calls. But could it?

Days after the first Snowden leaks landed, Obama declared, "nobody is listening to your telephone calls." (He was, of course, talking about laws preventing the NSA from listening in on American calls.) It was bad enough that there was fear and uncertainty over the phone metadata program, but the Gemalto hack is about as clear as it gets that the NSA was trying to "passively" listen to phone conversations.

More:
Gemalto SIM card encryption hack: Key questions remain

Summary:China wants the encryption keys from U.S. technology companies as part of a counter-terrorism law. The draft law leaves U.S. tech giants with two options: Play ball or get out.

(Image: stock image)

The Chinese government has introduced plans for a far-reaching counter-terrorism law that would require tech companies to hand over encryption keys and source code -- even "backdoors" to give Chinese authorities surveillance access, according to Reuters.

The draft law, on its second reading in the state's parliament, is expected to be passed in a matter of weeks.

In an interview with the news agency, President Obama said he has brought up the issue with the Chinese premier.

"We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States," the president said.

Except that's not exactly what's going on here. It's U.S. tech companies that want to do business with China, thanks to its massive population, burgeoning economy, and its considerable potential financial returns. It's where some of the big global powerhouses are. It would be absurd to no longer do business in the economic and manufacturing heart of the world.

China's rules are broad and borderline terrifying for companies and countries wanting to do business with the Communist state. Making matters worse, tech companies can't possibly comply with the proposed rules. It's not surprising that China, with a history of stealing intellectual property, state-sponsored hacking, and shutting out businesses it doesn't like from state procurement rules, is not trusted by the West.

But Beijing, which sees the rules as vital in protecting state and business secrets, is the one holding the cards. Beijing doesn't trust Silicon Valley in the wake of the National Security Agency surveillance disclosures.

In that regard, China's move to introduce these laws is just good business sense for the country.

Read more:
China wants Silicon Valley's encryption keys: Good business, or get out?

Summary:CloudFlare has gone beyond offering free SSL to millions of websites and is now deploying a new level of encryption by default.

CloudFlare is deploying a new level of encryption to improve the security and speed of its websites, especially when visited through mobile web browsers.

The US-based CDN and DNS provider rolled out free SSL to millions of websites through the Universal SSL scheme last fall. Now, the company has begun rolling out a new form of encryption to improve the performance and security of mobile browsing. Dubbed ChaCha20-Poly1305, the cipher suites have only previously been used by one major tech firm, Google, but all CloudFlare websites now support the new algorithm.

As of the time of writing, approximately 10 percent of CloudFlare HTTPS website connections are using the protocol, but more are to follow.

Nick Sullivan from CloudFlare described the deployment in a blog post on Tuesday, explaining that the protocol for encrypting HTTPS -- Transport Layer Security (TLS) -- allows the easy integration of new encryption algorithms. The new cipher, based on the ChaCha20 and Poly1305 algorithms, fills the gap left by mobile browsers and APIs in TLS right now for secure encryption.

In addition, ChaCha20-Poly1305 improves upon the security of the de facto stream cipher choice for TLS, RC4 -- which is no longer considered secure. Another alternative, the AES-GCM cipher, is a good choice, but can be costly when it comes to mobile battery life. Therefore, users have been stuck between power-hungry or insecure encryption options.

In order to combat this problem and find a power-friendly alternative for mobile devices, Google engineers developed ChaCha20-Poly1305, which was included in Chrome 31 in November 2013, and Chrome for Android and iOS at the end of April 2014.

"Having the option to choose a secure stream cipher in TLS is a good thing for mobile performance," Sullivan says. "Adding cipher diversity is also good insurance. If someone finds a flaw in one of the AES-based cipher suites sometime in the future, it gives a safe and fast option to fall back to."

ChaCha20-Poly1305, a mixture of ChaCha20, a stream cipher; and Poly1305, a code authenticator -- developed by Professor Dan Bernstein -- is designed to provide 256-bit security, in comparison to the AES-GCM cipher, which provides around 128 bits of security.

CloudFlare says this level is "more than sufficient" for HTTPS connections. In addition, ChaCha20-Poly1305 also protects TLS against cyberattackers inserting fake messages into secure streams.

More:
CloudFlare boosts browsing privacy, speed through encryption deployment

Nexus 6 NRT Guide UnlockRootRecoveryEncryption
Complete Nexus 6 guide to unlock, root, disable encryption, and flash custom recovery using WugFresh Nexus Root Toolkit. Information http://www.wugfresh.com/nrt/ Download https://www.andro.

By: Mike Barrett

Link:
Nexus 6 NRT Guide · Unlock·Root·Recovery·Encryption - Video

Spain: Check Sikur #39;s hyper-secure GranitePhone, the next step in mobile encryption
Brazilian company Sikur unveiled their pro-privacy GranitePhone at the Mobile World Congress in Barcelona on Wednesday. -------------------------------------...

By: RuptlyTV

Go here to see the original:
Spain: Check Sikur's hyper-secure GranitePhone, the next step in mobile encryption - Video

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered "Freak" encryption security flaw, which was initially believed to only threaten mobile devices and Mac computers, Microsoft warned. A group of nine security experts on Tuesday disclosed that ubiquitous Internet encryption technology could make devices running Apples iOS and Mac operating systems, along with Google's Android browser, vulnerable to cyberattacks. Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the Freak vulnerability. The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption. If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said.

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to find a vulnerable web server, break the key, find a vulnerable PC or mobile device, then gain access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it had not yet developed a security update that would automatically protect Windows PC users from the threat. Apple and Google both said Wednesday they had developed software updates to address the vulnerability. "Freak" stands for Factoring RSA-EXPORT Keys.

First published March 6 2015, 3:17 PM

Read the rest here:
Microsoft Says PCs Also at Risk to 'Freak' Bug

ANX Partners with Bluefin to add Validated Point-to-Point Encryption to its Industry-Leading PCI Compliance Solution

SOUTHFIELD, Mich. - ANXeBusiness Corp. (ANX), a trusted provider of managed payment solutions, has formed a strategic partnership with Bluefin Payment Systems, the leading provider of secure payment technology worldwide. The partnership establishes ANX as the first PCI Qualified Security Assessor (QSA) to offer merchants a PCI-validated Point-to-Point Encryption (P2PE) solution that also delivers a comprehensive suite of layered security and tools to simplify PCI compliance.

ANX's solution, SecurePCI Validated P2PE, combines the benefits of encryption with all the other services that a merchant needs to be secure and compliant. SecurePCI Validated P2PE is fully managed and delivers: validated P2PE; POS terminals required to meet the October 2015 EMV mandate; $100,000 of retroactive data breach protection; portal tools to simplify PCI compliance; and enterprise-grade managed security technology for layered security.

"We are excited about partnering with ANX," said Jeffrey Schroeder, Bluefin's Chief of Marketing Strategy. "They have added our Validated P2PE capabilities to their industry-leading SecurePCI package. ANX is known for their operational excellence and ability to help merchants become PCI compliant."

"Bluefin is the worldwide market leader for Validated P2PE," added Mark Wayne, ANX Executive Vice President, Governance, Risk and Compliance. "The Bluefin partnership is great news for ANX stakeholders. Adding validated P2PE to the portfolio positions ANX to deliver the best-in-class layered security and compliance solution while minimizing the merchant effort to achieve and maintain PCI compliance."

The storage and movement of unencrypted credit card data make US merchants a primary target for organized cybercrime. This vulnerability is exploited with documented success resulting in millions of dollars in damages. P2PE represents a major step forward in the battle to secure credit card information. With P2PE, payment card information is encrypted at the merchant Point-of-Sale (POS) and remains encrypted as it is exchanged with the acquiring bank. Encryption actually devalues the data, which lessens the incentive for theft. Hence, validated P2PE reduces the risk of a data breach, positions merchants to meet the October EMV requirements, and makes it easier to become PCI compliant by reducing the scope.

ANX will be accepting orders for SecurePCI Validated P2PE at the Transact 15 event in San Francisco on March 31, 2015. Learn more at http://www.anx.com.

About ANX ANXeBusiness Corp., headquartered in Southfield, Michigan, is a global provider of managed payment, compliance, security and connectivity solutions. ANX is certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV). For more information, visit http://www.anx.com.

About Bluefin Bluefin Payment Systems is the leading provider of secure, integrated, cloud-based payment solutions for Independent Software Vendors and SaaS providers. Bluefin is one of only three companies worldwide to achieve PCI-validation for point-to-point encryption (P2PE). For more information, visit http://www.bluefin.com.

Source ANXeBusiness Corp.

Link:
ANX Announces Industry's First PCI QSA Validated Point-to-Point Encryption Solution

Previously thought limited to Apple and Google browsers, the flaw leaves communications between affected users and websites open to interception.

Windows machines are also vulnerable to a decade-old encryption flaw.

Computers running all supported releases of Microsoft Windows are vulnerable to "FREAK," a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw was previously thought to be limited to Apple's Safari and Google's Android browsers. But Microsoft warned that the encryption protocols used in Windows -- Secure Sockets Layer and its successor Transport Layer Security -- were also vulnerable to the flaw.

"Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system," Microsoft said in its advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems."

Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers.

The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.

"The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor," Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw's origins and effects. "This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today."

Follow this link:
Microsoft Windows vulnerable to 'FREAK' encryption flaw too