This Facebook chart shows how the number of emails protected by encryption by both the sender and the receiver has flipped in only a few short months. Facebook

Keeping email safe from prying eyes is a joint effort, with both the sender and receiver needing to implement encryption technology. And Facebook -- which sends its user base billions of notification emails every day -- says things have gotten significantly more secure because of changes made by popular webmail providers such as Microsoft and Yahoo.

The percentage of outbound notification emails sent from Facebook that are received by email services which support encryption has jumped from less than 30 percent in May to 95 percent by mid-July, according to a Facebook blog post published Tuesday.

That rate of adoption is exceptionally rare, said Jim Fenton, formerly the chief security officer at password replacement firm OneID and now an independent Internet technologist.

"Facebook's measurement is probably as favorable as it can be," Fenton said, pointing out that Facebook's unique situation -- outgoing email only, measured by volume, to large webmail providers for personal use more than work email accounts -- allowed Facebook to achieve such a rapid turn-around.

The change comes amid a growing effort by webmail providers to better support encrypted email. That's a reaction to National Security Agency snooping revealed by whistle-blower Edward Snowden, and it's a necessity at Facebook, where notification emails about posts and comments made by users' friends often contain snippets of private or semi-private content from the site.

The kind of basic webmail encryption Facebook refers to in its blog post is provided by a technology called STARTTLS, which uses Transport Layer Security encryption to make it harder to spy on email. The challenge with keeping email secure is that it requires both the sender and the receiver to support the same encryption technology -- otherwise messages remain unprotected. Though Facebook has supported STARTTLS for several years, of the three biggest webmail providers, only Google's Gmail had adopted it.

Facebook said in its post that now that Microsoft and Yahoo are on board with STARTTLS, the majority of the social-media site's notification emails are encrypted with two common encryption techniques. One is Forward Secrecy, a technique that prevents the same numeric encryption keys from being used more than once, which would make messages easier to crack. The other is strict certificate validation, which is a high standard for ensuring that a digital authentication certificate -- which email systems check to verify who's sending a message -- has not been forged.

A Facebook spokesman told CNET that the company is working on getting the other 5 percent of webmail providers to use encryption. "All major providers we've talked to are either using STARTTLS or are actively working on deploying it," he said.

A Microsoft representative noted during a previous interview that webmail encryption efforts are tricky because of the two-way-street situation involving sender and recipient.

Visit link:
Facebook reports enormous uptick in use of snoop-proof email

In the post-Snowden era, everyone wants to make encryption easier. Now, one group of researchers has created a tool intended to make it invisible.

A team from Georgia Tech has designed software that acts as an overlay on Android smartphones communication appslike Gmail or Whatsappand mimics the apps user interfaces. When users type, the text is encrypted automatically before being passed on to the application and transmitted over the internet. Likewise, the interface invisibly decrypts text received from other users of the software. The result, as the researchers describe it, is a transparent window over apps that prevents unencrypted messages from leaving the users device, an invisible communications condom for your smartphones secrets.

The window acts as a proxy between the user and the app. But the beauty of it is that users feel like theyre interacting with the original app without much, if any, change, says Wenke Lee, the Georgia Tech professor who led the developers. Our goal is to make security thats as easy as air. You just breathe and dont even think about it.

The researchers call their prototype Mimesis Aegis, or M-Aegis, Latin for mimicry shield. They plan to present their researchat the Usenix Security conference this week.

For now, theGeorgia Tech team is framing their workas pure academic research. But they also plan to release the software in some form this fall, although it initially will work only with email and chat services like Gmail, Whatsapp, and Facebook. Eventually, they hope to extend the apps abilities to photos and audio, so multiple functions of an Android phone can be effortlessly encrypted within popular apps users already have installed without requiring them to adopt new encryption apps like Textsecure or Silent Circle.

Despite their ambition, M-Aegis prototype is far from a universal smartphone encryption engine: It can only encrypt communications with other M-Aegis users, since both phones must generate encryption keys and exchange them to allow scrambled communications. And the system only works with Android; Apple is more restrictive in controlling how the user interfaces of its iOS apps can be altered.

Aside from those limitations, the researchers claim in their Usenix paper that a lock icon added to encrypted messages will be virtually the only sign that users arent directly accessing an unaltered app. They tested M-Aegis with real emailsusing samples taken from the Enron investigation in the early 2000sand found it took less than a tenth of a second to decrypt even the longest emails on an LG Nexus 4, and at most around one-fifth of a second to encrypt them. They even were able to replicate the search function of the Android Gmail client, thanks to their own encryption system called easily-deployable efficiently-searchable symmetric encryption or EDESE, which allows the search of encrypted files with negligible slowdown.

Despite those impressive crypto claims, early users should be wary of the security of M-Aegiss untested prototype. The Georgia Tech researchers say that for now, they dont plan an open source release of the software, which may prevent the security community from identifying flaws in its privacy protections.

Maintaining the software could also turn out to be cumbersome: Given that the program is designed to exactly mimic the apps its overlaid on, every update to a communications apps interface could require a change to M-Aegis. The researchers wont yet say how they plan to support the appthrough their own volunteer labor or by spinning the technology out into a non-profit project or startup. But Lee downplays the difficulty of keeping up with the apps whose communicationsM-Aegis encrypts. If an update to an app is just to make it look prettier or move things around, that doesnt effect us at all, he says.

For now, Lee admits, the process does require a manual process of assessing new apps and updates to maintain M-Aegiss mimicry of the underlying programs. But eventually, he hopes to automate the analysis of new applications so that they can be pulled underM-Aegiss protective shieldwith minimal human effort. The goal, he says, is a future where privacy-conscious users dont need to give up mainstream cloud-based services. But thanks to invisible encryption strapped onto the apps surfaces, the apps arenonetheless prevented from ever accessing raw data that could be vulnerable to hackers or intelligence agencies.

See the rest here:
This Android Shield Could Encrypt Apps So Invisibly You Forget It’s There

Personal information at risk: A new blog is shaming websites and apps that do not use encryption. Photo: Reuters

The web is fighting back against websites and apps that do not use encryption.

Such services are considered to have good security when they implement a technology known as Transport Layer Securityor Secure Sockets Layer (SSL), which encrypts traffic between an end user and the site. Google, Twitter, Facebook and banks are good examples of this practice.

But many apps and sites implement it incorrectly or do not use it at all, leaving personal information at risk of being seen over unsecured connections, like public Wi-Fi. In such cases, a hacker using "sniffing" tools is able to snoop on the traffic, steal personal information and use it to hack into your online accounts.

Enter HTTP Shaming, a Tumblr blog launched at the weekend that is naming and shaming websites and apps that are not doing the right thing by their users.

Created by US software engineer Tony Webster, the site already lists a number of popular websites and apps that are not doing encryption properly, including Tripit, Scribd and Meetup.

Mr Webster is hoping that highlighting poor security in services will result in their owners implementing better security. The engineer is also taking submissions for the blog from members of the public.

"When that traffic goes over an open Wi-Fi network, it's not encrypted unless the website or app is using SSL," Mr Webster said. SSL is displayed as the "s" in https before a web address and is typically accompanied by a golden padlock, but this is not displayed as a symbol in appson smartphones.

"Anyone with network sniffing software can intercept traffic on open wireless networks and, if passwords and personal information is being sent, that attacker now has a lot of ... information that could be used to cause a lot of problems," Mr Webster said.

At the end of the day, he said it was "so easy" to implement encryption that web services should be doing it for the privacy of their users.

Link:
Software engineer fights back against poor internet security

Personal information at risk: A new blog is shaming websites and apps that do not use encryption. Photo: Reuters

The web is fighting back against websites and apps that do not use encryption.

Such services are considered to have good security when they implement a technology known as Transport Layer Securityor Secure Sockets Layer (SSL), which encrypts traffic between an end user and the site. Google, Twitter, Facebook and banks are good examples of this practice.

But many apps and sites implement it incorrectly or do not use it at all, leaving personal information at risk of being seen over unsecured connections, like public Wi-Fi. In such cases, a hacker using "sniffing" tools is able to snoop on the traffic, steal personal information and use it to hack into your online accounts.

Enter HTTP Shaming, a Tumblr blog launched at the weekend that is naming and shaming websites and apps that are not doing the right thing by their users.

Created by US software engineer Tony Webster, the site already lists a number of popular websites and apps that are not doing encryption properly, including Tripit, Scribd and Meetup.

Mr Webster is hoping that highlighting poor security in services will result in their owners implementing better security. The engineer is also taking submissions for the blog from members of the public.

"When that traffic goes over an open Wi-Fi network, it's not encrypted unless the website or app is using SSL," Mr Webster said. SSL is displayed as the "s" in https before a web address and is typically accompanied by a golden padlock, but this is not displayed as a symbol in appson smartphones.

"Anyone with network sniffing software can intercept traffic on open wireless networks and, if passwords and personal information is being sent, that attacker now has a lot of ... information that could be used to cause a lot of problems," Mr Webster said.

At the end of the day, he said it was "so easy" to implement encryption that web services should be doing it for the privacy of their users.

Read more here:
Web fights back against poor security

2014 marks the 25th anniversary of the creation of the World Wide Web. From its earliest beginnings, users have demanded security for their sensitive information and web sites have universally responded by supporting encryption protocols such as SSL/TLS to encrypt data as it moved across the wires.

Since those early days, encryption has come a long way. Its use is no longer limited to the companys web site. With data privacy legislation, data breach disclosure laws, organized crime and more recently, concerns over state sponsored cyber-attacks and government surveillance, the use of encryption has become pervasive, a last line of defence if the data is encrypted, who cares if it gets stolen.

Respected media outlets have refereed to 2014 as the year of encryption. That sort of prediction raises concerns even for people that have been working with encryption technologies for years; those in the banking sector and governments know what the implications are, but for the rest of us this is a step into the unknown.

The rise of encryption technology is now proliferating within many organizations at a prodigious rate. Encryption is deployed in the cloud and on premise; for protecting data at rest, data in motion and data in use; in databases, on memory sticks, in email, in storage networks; the list goes on.

The trouble is that in almost all cases these encryption deployments will rely on point solutions which, although they might use familiar sounding encryption algorithms (AES, RSA etc.), are far from compatible, creating security pockets that are tied to individual applications or elements of IT infrastructure. Inevitably, at an enterprise-wide level, organizations will suffer from fragmentation and inconsistency, or encryption sprawl.

Encryption sprawl can be a major headache for any organization. Sprawl drives up the costs of managing the myriad of encryption devices, it increases the risk of error, makes compliance and forensics more painful and limits flexibility all at a time that resources are under pressure to do more with less.

So just how can an organization prevent encryption sprawl? Here are three top tips:

Understand your environment - discovery, consistency, certification

Even if encryption sprawl in your organization is unavoidable, at least focus on consistency and quality. Keep a record of where encryption is being used and define an internal set of approved algorithms (NIST 800-131 is a good start) and avoid proprietary algorithms completely. Where possible, select products that have a formal security certification where the implementation of product has been independently validated (the FIPS 140 validation program is the most widely recognized).

And finally, make sure that these disparate encryption systems are kept up to date and patched correctly. The recent Heartbleed vulnerability illustrates this need very well. Taking these measures wont do much to address the inefficiency of sprawl but they will at least help you know where you stand, avoid basic vulnerabilities and prepare you for the next step.

Original post:
Is your encryption getting out of control?

Tech It Away: Yahoo #39;s Email Encryption To Roll Out In 2015
Yahoo follows Google #39;s footsteps in offering an email encryption service.

By: Solar News Channel

Read the original post:
Tech It Away: Yahoo's Email Encryption To Roll Out In 2015 - Video

By John P. Mello Jr. 08/13/14 6:20 AM PT

Yahoo and Google last week announced they'd be teaming up to secure their Web mail systems with encryption by the end of next year.

"Our goal is to make end-to-end encryption fully available in 2015," Yahoo Vice President of Information Security Alex Stamos said at the Black Hat hackers' conference in Las Vegas.

"Our team is working closely with Google to ensure that our implementations of end-to-end encryption are compatible," he continued. "What this means is that eventually, not only will Yahoo Mail users be able to communicate in an encrypted manner with other Yahoo Mail users, but also with Gmail users and eventually with other email systems that adopt similar methodologies."

Adopting similar methodologies should be easier for those other email systems because Yahoo will be releasing the code for its encryption solution to the open source community.

"We will release source code this fall so that the open source community can help us refine the experience and hunt for bugs," Stamos said.

Opening the code to many eyes means even the NSA, which has been known to sit on software flaws so it can exploit them in the future for its own self interest, can look at it.

That's a risk worth taking, according to Phil Zimmermann, creator of PGP, or pretty good privacy -- the encryption method to be used by Yahoo and Google.

"The benefits of having everyone else look at it far outweigh the problem of having the NSA look at it," he told the E-Commerce Times.

The encryption scheme for Yahoo Mail and Gmail will prevent intermediaries, including Yahoo and other mail providers, from being able to discover or tamper with the content of an email, Stamos explained.

See more here:
Yahoo, Google Team Up to Fight Email Snoops

August 12, 2014

Eric Hopton for redOrbit.com Your Universe Online

Two tech world giants Yahoo and Google have put rivalry aside in an attempt to introduce a new joint email encryption system. With over 600 million unique email users between them, the two companies have a huge share of the global market and the ability to offer enhanced encryption will help cement their positions as leaders in the field. They are planning to have the new system up and running by next year.

Email encryption has become a burning issue in the wake of the Edward Snowden affair and the controversies surrounding his leaking of National Security Agency secrets in 2013. The Snowden revelations sparked a big increase in public demands for more secure email provisions.

For the new system to be successful it will need to offer greatly improved security and be user-friendly without the normal complexity and clumsiness of current encryption methods. Google and Yahoo believe they have the answer. The new tool will be an optional add-on with users able to turn it on and off at will.

As Stephanie Mlot of UKs PCMag reports, the announcement of the joint venture was made by Yahoos Chief Information Security Officer Alex Stamos at this years Black Hat security conference held in Las Vegas.

In the post-Snowden world Google has already beefed up its email security with new measures to enhance protection. Earlier this year the company announced that Gmail would be using encrypted HTTPS connection for all mail, replacing the less secure HTTP. HTTPS was always an option, but was turned on for everyone in 2010; however the option could be turned off. This option was removed in March. Google claimed that improvements to HTTPS had overcome initial objections that the system was slower than HTTP. The company followed this up with the launch of a trial of its End-to-End encryption tool extension. When End-to-End is up and running it will provide the option of an extra level of security for highly sensitive messages.

As Danny Yadron writes in his Wall Street Journal blog, the proposed Google/Yahoo tool will use existing Pretty Good Privacy (PGP) technology. Traditional email services depend on web companies holding users passwords and other security and identification data on their own servers. PGP, however, relies on each user having their own encryption key stored on their laptops, tablets and smartphones.

There are important legal implications for the PGP option. In the past the US courts have been able to force webmail companies into handing over their encryption keys most notably in the case of Lavabit, Snowdens own email provider at the time of his leaks.

Yadron points out that the new encryption method promised by Google and Yahoo would enable them to argue that they dont have the keys for their encryption service. If that looks like its leading to the next government versus the internet industry battle, then it seems that Yahoo at least is up for the fight. As Stamos puts it, Yahoo is a publicly traded multibillion dollar company with an army of lawyers who would love to take this argument all the way to the Supreme Court.

Original post:
Rivals Yahoo And Google In Joint Email Encryption Venture

If Yahoo gets it right, then the end-to-end email encryption the Internet company is promising would be a big help to companies concerned with privacy in the use of webmail, experts say.

Alex Stamos, chief information security officer for Yahoo, announced last week at Black Hat that the company was developing a browser plug-in for encrypting messages sent from Yahoo Mail.

[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

[Yahoo! Encrypts! All! The! Things!]

The company planned to release the plug-in next year.

Stamos demonstrated the plug-in, which was "pretty clunky," Cameron Camp, a security researcher at anti-virus vendor ESET who attended the demo, said. However, the early-stage technology was expected to be much better by the time it's released.

The goal is to make end-to-end encryption (E2EE) easy enough that any company employee or consumer can send email over the Web that remains indecipherable until the recipient decrypts it.

Deploying that level of secrecy today is difficult and is not user friendly, which hampers adoption by all but the most security conscious organizations.

"It's really hard to do," Camp said of E2EE. "Their (Yahoo's) goal is to make it easy enough, so anyone can do it."

Based on the demonstration, a person who wants to send an encrypted message would compose it through the plug-in, as opposed to on the regular Yahoo Mail interface.

See the original post here:
How Yahoo email encryption could help your business

Osu - Encryption
Beatmap: https://osu.ppy.sh/s/96368.

By: Roxas888888888

Read this article:
Osu - Encryption - Video