Category Archives: Encryption

Sneak peek at Data Loss Prevention in SharePoint – plus new mobile encryption viewers – Video

Posted on by


Sneak peek at Data Loss Prevention in SharePoint - plus new mobile encryption viewers
On this week #39;s show we invite back Asaf Kashi, a lead engineer on the information protection team. We introduce the information protection updates coming to Office 365 and demonstrate the upcoming.

By: OfficeGarageSeries

Read the rest here:
Sneak peek at Data Loss Prevention in SharePoint - plus new mobile encryption viewers - Video

German researchers discover a flaw that could let anyone listen to your cell calls.

Posted on by

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the worlds cellular carriers to route calls, texts and other services to each other. Experts say its increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the worlds billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes such as keeping calls connected as users speed down highways, switching from cell tower to cell tower that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

Its like you secure the front door of the house, but the back door is wide open, said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britains GCHQ, but not revealed to the public.

Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation, said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. Theyve likely sat on these things and quietly exploited them.

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about the vulnerabilities that Nohl and Engel have found. For the Posts article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

Read the original here:
German researchers discover a flaw that could let anyone listen to your cell calls.

Keep encrypted files encrypted when you back them up to the cloud

Posted on by

After reading my article on encrypting sensitive data, Ian Cooper asked if it was safe "to use one of these encryption tools in conjunction with an online backup service?"

In that previous article, I discussed two separate ways to encrypt a folder filled with sensitive files: Windows own Encrypted File System (EFS) and VeraCrypt, a free, open-source fork of the well-remembered TrueCrypt. This time around, I'll look at how files encrypted with either of these work with two popular online backup services, Mozy and Carbonite.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

Both Mozy and Carbonite encrypt your files and keep them encrypted on their servers. However, the default settings provide a backdoor to that encryption. It's therefore theoretically possible for a hacker, a disgruntled employee, or the NSA to access your files.

Both companies offer a more secure option where you and only you have the key, and therefore, there's no backdoor. Mozy calls this a Personal Encryption Key; Carbonite calls it aPrivate Encryption Key. The problem, of course, is that if you lose the key, you lose your backup.

But even if the backup service has the key to your files, they don't have the key to your EFS encryption. And the files are useless without that. When I tested this, Carbonite wouldn't let me download EFS-encrypted files onto another computer. Mozy let me download the files, but those files just contained gobbledygook.

VeraCrypt's container approach makes this a non-issue. Remember that VeraCrypt keeps your sensitive files in one or more encrypted container files. Open a container with the password, and your files become available in a virtual drive. Close the container, and your files exist only in the encrypted container.

The simple solution: Don't back up the virtual drive. Just back up the container. That will effectively back up the files, but they'll be encrypted before Mozy, Carbonite, or any other online service will ever see them.

Your message has been sent.

There was an error emailing this page.

View original post here:
Keep encrypted files encrypted when you back them up to the cloud

The Difference Between Wi-Fi Security Protocols: WPA2-AES Vs WPA2-TKIP

Posted on by

Setting up encryption on your wireless router is one of the most important things you can do for your network security, but your router probably offers various different options WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) among the alphabet soup. How-To Geek explains which one to choose for a faster, more secure home network.

In essence, TKIP is deprecated and no longer considered secure, much like WEP encryption. For optimal security, choose WPA2, the latest encryption standard, with AES encryption. (If your router doesnt specify TKIP or AES, the WPA2 option will probably just use AES.) However, if you have old Wi-Fi devices that arent compatible with WPA2, you can use the TKIP+AES or mixed mode option if its available on your router.

For more details on each Wi-Fi security option, head over to How-To Geeks explainer.

Wi-Fi Security: Should You Use WPA2-AES, WPA2-TKIP, or Both? [How-To Geek]

Go here to see the original:
The Difference Between Wi-Fi Security Protocols: WPA2-AES Vs WPA2-TKIP

Google’s work on full encryption chugs along, with Yahoo’s help

Posted on by

Google is making progress developing a user-friendly tool for fully encrypting peoples messages on their computers, with coding help from Yahoo and a transition to GitHub.

Contributions from Alex Stamos, Yahoos chief security officer, and his team have been incorporated into an updated pre-release version of the browser extension announced Tuesday, Google said in a blog post.

Google cited progress in other areas for the project, which aims to give Internet users an easy-to-use tool for encrypting email messages. The tool would scramble peoples messages before they leave their browser and keep them that way until the recipient decodes them. Known as end-to-end encryption, its typically too complex for non-technical users but Yahoo, WhatsApp and others are developing products around it, in response to cybersecurity and spying concerns.

Googles tool currently exists only as source code for a Chrome extension that developers must compile themselves. The first version was made available in June.

The code is being migrated to the GitHub open-source software repository so other developers can tinker with and improve it, Google said Tuesday.

Weve always believed strongly that end-to-end must be an open source project, and we think that using GitHub will allow us to work together even better with the community, wrote Stephan Somogyi, Googles product manager for security and privacy, in the blog post.

To that end, the projects GitHub listing contains additional information for developers and researchers interested in better understanding the tool, Google said.

The tool still seems a ways off from mainstream use. Its still in alpha, Google said, and not yet available in the Chrome Web Store. We dont feel its as usable as it needs to be, Googles Somogyi said.

But Google is working on a server for managing peoples encryption keys for the tool, usually one of the hardest usability problems with cryptography-related products. Google hopes to have a fully fledged end-to-end encryption tool available next year.

Zach Miners covers social networking, search, and general technology news for the IDG News Service, and is based in San Francisco. More by Zach Miners

Originally posted here:
Google's work on full encryption chugs along, with Yahoo's help

Quantum Encryption Could Make Credit Cards Unhackable

Posted on by

Dutch researchers says we're closer to making such technology a practical reality.

Imagine credit cards and ID cards which could never be hacked. That's the promise of quantum cryptography, which harnesses peculiar properties of subatomic particles to thwart data thieves.

Now a team of Dutch researchers says we're closer to making such technology a practical reality.

Publishing in the current issue of Optica, scientists at the University of Twente and Eindhoven University of Technology describe what they call quantum-secure authentication (QSA) of a "classical multiple-scattering key."

To decipher and authenticate the key, the team illuminated it with "a light pulse containing fewer photons than spatial degrees of freedom and verifying the spatial shape of the reflected light." The upshot is that a would-be hacker couldn't crack the encrypted data "even if all information about the key is publicly known," because the principles of quantum physics prevent the optical response to the key from being emulated.

Which is to say that instead of depending on people keeping a secret or "unproven mathematical assumptions," QSA leverages the immutable properties of quantum mechanics to create a perfectly secure encryption system.

The immediate application of the technology would be to add a "strip of nanoparticles" to a credit card or passport, noted Discovery News. To verify the authenticity of the strip, you'd "zap [it] with a laser in such a way as to create a unique pattern that's impossible to crack."

Such a security layer would be "straightforward to implement with current technology," according to study lead author Pepijn Pinkse of the University of Twente's MESA+ Institute for Nanotechnology.

Pinkse offered a way to visualize how QSA works in an accompanying report seen by Discovery News.

"It would be like dropping 10 bowling balls onto the ground and creating 200 separate impacts. It's impossible to know precisely what information was sent (what pattern was created on the floor) just by collecting the 10 bowling balls," the scientist was quoted as saying.

Continued here:
Quantum Encryption Could Make Credit Cards Unhackable

Interested in encrypting your data? Here’s what you need to know [infographic]

Posted on by

There is more than one way to keep your data safe from prying eyes, but the practice that is most recommended is still the use of encryption. It will ensure that only you will be able to access personal information, requiring a decryption key to unlock your data. Proving just how effective it can be, the US government basically wants both Apple and Google to allow it to bypass the encryption in the latest versions of their mobile operating systems, namely iOS 8 and Android 5.0 Lollipop, respectively, because currently it is unable to directly access that data.

However, there are quite a few things that you should also know about encryption before you decide to go down this road. To learn more about what encryption entails, you can check out the following infographic, called "Protected: A Beginner's Guide To Encryption".

This infographic briefly details the basics of encryption, starting with the encryption key, what encryption software you can use on your PCs and Macs, how to encrypt data stored on cloud storage services, and how to encrypt your emails.

As with cloud-based accounts, the more complex the encryption key, the better your chances of keeping your data private. A strong encryption key will be much, much more difficult to crack than, let's say, "password1234" -- it will not help keep your data safe for long, even if you are using the best encryption around.

Similarly, if you do not use safe browsing habits your data may still be at risk, no matter if it is encrypted. You must also make sure that your devices are protected against unauthorized access when you are not using them -- that means locking them while you are away, using difficult to guess passwords and so on.

Image Credit: VERSUSstudio / Shutterstock

See original here:
Interested in encrypting your data? Here's what you need to know [infographic]