Category Archives: Encryption

Google giving higher search value to websites that use encryption

Posted on by

MOUNTAIN VIEW, calif. One of the world's most powerful Internet companies is using its leverage to prod other websites into adopting a key safeguard against malicious hackers who try to steal Internet users' passwords or eavesdrop on their online activity.

Google said its popular Internet search engine will start assigning a higher priority to websites that use a kind of encryption known as HTTPS, in a move that was welcomed by experts who say it's a significant step toward increasing security and privacy on the Web.

"I don't expect the Internet to change overnight, but over the next few months and years, more and more websites will see this as something they must do," said Kevin Mahaffey, chief technology officer at Lookout, which makes security programs for mobile devices.

The move comes just days after a disturbing report that a Russian hacker gang has amassed a stockpile of 1.2 billion Web users' names and passwords from around the world. Experts say HTTPS encryption might not have blocked the methods used by that group, but it can foil other common techniques that hackers use to gather sensitive personal and financial information.

Anyone who uses an unsecure Wi-Fi hot spot in a coffee shop, shopping mall or other public place can be vulnerable to malicious snooping, said Dwayne Melancon, chief technology officer for the computer security company Tripwire. But outsiders generally can't read information that a person sends or receives from a website that's encrypted, as indicated by an Internet address that starts with the letters HTTPS.

Google has spent tens of millions of dollars to beef up its own online services in recent years. It's also pushed for broader use of encryption, industrywide, both to guard against tech-savvy criminals and, after last year's revelations about controversial National Security Agency spying, to curtail snooping by government agencies.

In a blog post last week, the company said it hopes to encourage HTTPS encryption by using it as a "ranking signal," or one of many factors the company uses in deciding which websites to show more prominently when it displays search results.

"For now, it's only a very lightweight signal," the company added. "But over time, we may decide to strengthen it."

Strengthening the signal, or giving more weight to sites that use encryption, means those sites may appear higher in Google's search results. That can make a huge difference in how many people visit a site, as many Web operators and online businesses have learned over the years.

"It will tend to drive people to sites that are being more responsible in how they interact with users," said Melancon. "I think it's a great idea."

Read this article:
Google giving higher search value to websites that use encryption

Study finds firmware plagued by poor encryption and backdoors

Posted on by

The first large-scale analysis of a fundamental type of software known as firmware has revealed poor security practices that could present opportunities for hackers probing the Internet of Things.

Firmware is a type of software that manages interactions between higher-level software and the underlying hardware, though it can sometimes be the only software on a device. Its found on all kinds of computer hardware, though the study focused on embedded systems such as printers, routers and security cameras.

Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin.

They found a variety of security issues, including poorly-protected encryption mechanisms and backdoors that could allow access to devices. More than 123 products contained some of the 38 vulnerabilities they found, which they reported privately to vendors.

Theyre due to present their research next week at the 23rd Usenix Security Symposium in San Diego.

Most of the firmware they analyzed is in consumer devices, a competitive arena where companies often release products quickly to stay ahead of rivals, said Aurlien Francillon[cq], a coauthor of the study and an assistant professor in the networking and security department at Eurecom.

You have to be first and cheap, Francillon said in a phone interview. All of those things are what you should not do if you want a secure device.

Firmware security practices lag far behind those of the PC software market, where vendors like Microsoft learned the hard way that they need to patch software automatically on a regular, frequent schedule.

Thats often not the case with firmware, which may not be designed to patch itself periodically and also relies heavily on third-party software that may not be current. In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image.

On these devices, its a real nightmare, Francillon said.

Continue reading here:
Study finds firmware plagued by poor encryption and backdoors

Yahoo to implement end-to-end email encryption some time in 2015

Posted on by

Yahoo's Chief Information Security Officer Alex Stamos told Black Hat attendees last week that the company would be rolling out end-to-end encryption for email some time in 2015. The search company is taking a similar approach to Google to tackle enhanced security issues for communications, even down to the details of using OpenPGP.

The news was tweeted from the conference by Yan Zhu, a former employee of the Electronic Frontier Foundation known for working on Privacy Badger, who was one of the first hires by Yahoo for its privacy engineering team. The Yahoo encryption appears not only to be similar to what Google is planning with its Chrome extension, but a fork of the project.

It appears that Yahoo will be requesting the aid of the community to help improve the service later on, as Stamos stated that the code will be released in the fall. The goal is to have security minded users help improve the experience as well as locate bugs. A Yahoo spokeswoman told CNet that the no other providers were on board so far, but because of the open nature Yahoo hopes others will adopt it.

Yahoo announced last year that it would be it encrypting all transmissions through data center links as a way to prevent information from being accessed by outside parties, including government agencies like the National Security Agency. The company also stated that it would put 2048-bit SSL encryption into place for Yahoo Mail users by January this year, but later added it would extend to all Yahoo products.

By adding Yahoo to the likes of Google, the movement for the use of encryption for everyday users could gain more traction. For many, end-to-end encryption through Pretty Good Privacy (PGP) can be considered too complex to use. However, the complications come from ease of use, as well as proper education. In a time where some companies are struggling to implement any form of mail encryption in transit, the move is a welcome one by Yahoo.

By Electronista Staff

Read more here:
Yahoo to implement end-to-end email encryption some time in 2015

Father of PGP encryption: Telcos need to get out of bed with governments

Posted on by

Sean Gallagher

LAS VEGASPhil Zimmermann, the creator of Pretty Good Privacy public-key encryption, has some experience when it comes to the politics of crypto. During the crypto wars of the 1990s, Zimmermann fought to convince the US government to stop classifying PGP as a munition and shut down the Clipper Chip programan effort to create a government-mandated encryption processor that would have given the NSA a back door into all encrypted electronic communication. Now Zimmermann and the company he co-founded are working to convince telecommunications companiesmostly overseasthat its time to end their nearly century-long cozy relationship with governments.

Zimmermann compared telephone companies thinking with the long-held belief that tomatoes were toxic until it was demonstrated they werent. For a long time, for a hundred years, phone companies around the world have created a culture around themselves that is very cooperative with governments in invading peoples privacy. And these phone companies tend to think that theres no other waythat they cant break from this culture, that the tomatoes are poisonous," he said.

Back in 2005, Zimmermann, Alan Johnston, and Jon Callas began work on an encryption protocol for voice over IP (VoIP) phone calls, dubbed ZRTP, as part of his Zfone project. In 2011, ZRTP became an Internet Engineering Task Force RFC, and it has been published as open source under a BSD license. Its also the basis of the voice service for Silent Circle, the end-to-end encrypted voice service Zimmermann co-founded with former Navy SEAL Mark Janke. Silent Circle, which Ars tested on the Blackphone in June, is a ZRTP-based voice and ephemeral messaging service that generates session-specific keys between users to encrypt from end to end. The call is tunneled over a Transport Layer Security-encrypted connection through Silent Circles servers in Canada and Switzerland. ZRTP and the Silent Circle calls dont rely on PGP or any other public key infrastructure, so theres no keys to hand over under a FISA order or law enforcement warrant.

Now, thanks largely to the revelations of NSA and GCHQ monitoring of telecommunications triggered by documents leaked by Edward Snowden, theres a growing market demand for call privacy and telecom companies, especially in Europe, have become more receptive to the idea of giving customers the power to protect their privacy. In February, Dutch telecommunications carrier KPN signed a deal to be the exclusive provider of Silent Circles encrypted voice call service in the Netherlands, Belgium, and Germany. The company started offering Silent Circle services to customers this summer.

That move was driven, Zimmermann said, by KPNs chief information security officer, Jaya Baloo. She decided she wanted to break ranks from the rest of the phone companies and get KPN to offer their customers privacy, Zimmermann said. So for the first time, you see a phone company offer real privacy. My hope is that other phone companies will find the tomatoes are not poisonous.

Thanks in part to Jankes connections, the service has been adopted by the Navy SEALSnot just for calling home, but for operational communications, as well as Canadian, British, and Australian special operations forces, members of the US Congress and US law enforcement. About a year ago we had a visit from the FBI in our office, Zimmermann said. Mike Janke called and told, The FBI was in our office today, and I said, Oh no, its started already. And he said, No, no, they were just here to ask about pricing.

All of this plays into Zimmermanns strategy to keep government agencies from pressing for backdoors into Silent Circle's service. I thought what we need is, we needed to create the conditions where nobody was going to lean on us for backdoors because they need it themselves. If Navy SEALs are using this, if our own government develops a dependency on it, then theyll recognize that it would be counter-productive for them to get a backdoor in our product. Now maybe it was an overabundance of caution, because they never asked for a backdoor in PGP, but that took years to get that propagated into government customers. We saw government customers take this up almost as soon as the product was readyin fact before the product was ready they were asking about it. So weve created a situation where its difficult for them to even bring up the suggestion of a backdoor.

Thats not to say that everything has gone smoothly. Zimmermanns company had to abandon its secure email service in the wake of the shutdown of LavaBit. We wiped out our entire secure email servicebackups, and everything, Zimmermann told the Def Con audience. Some of our customers were pissed off, but for the most part they understood we were protecting their privacy.

Doing business with US government customers generally requires the use of National Institute of Standards and Technology (NIST) standards for encryption. But by default, Zimmermann said, Silent Circle uses an alternative set of encryption tools.

View post:
Father of PGP encryption: Telcos need to get out of bed with governments

Yahoo Mail to support end-to-end PGP encryption by 2015

Posted on by

Yahoo is following in the footsteps of Google and plans to implement end-to-end encryption into Yahoo Mail by 2015. Like Google, Yahoo plans to use the OpenPGP encryption standard to encrypt messages. OpenPGP, which is the gold standard for email encryption, uses a public-private keypair scheme to protect user messages.

To get the encryption done, Yahoo will use a modified version of Google's alpha stage End-to-End Chrome extension. But Yahoo's version will be designed to work with the Yahoo Mail interface instead of Gmail.

Yahoo also plans on making encryption a native part of the Yahoo Mail mobile apps, according to a tweet byAlex Stamos,Yahoo's chief information security officer.Stamos announced Yahoo's email encryption plans during Black Hat USA, a security conference that ended on Thursday.

Further reading:The 10 most terrifying security nightmares revealed at the Black Hat and Def Con hacker conferences

As part of the encryption effort, Yahoo will create a new privacy engineering team to work on the project. The team's first hire was Yan Zhu, a staff technologist for the Electronic Frontier Foundation who worked on projects such as the HTTPS Everywhere and Privacy Badger add-ons. Zhu was also the person who recently discovered a security flaw in WordPress login cookies.

The news that yet another major webmail service wants to build encryption tools into its product is encouraging. But it's not clear how many people will actually want to use the new option.

While encryption and privacy are top of mind for many as the revelations from Edward Snowden and other whistleblowers continue to roll out. The problem is both Google and Yahoo must make encryption dead simple to use.

On top of that is the issue of key management. How will Yahoo help users with managing their keys while at the same time preventing the company from having access to them?

If Yahoo sticks everyone's keys on a company server, for example, Yahoo could be compelled to hand them over to law enforcement. One way around this is to require users to manage their keys themselves, which isn't very realistic for a mass market serviceif you lose your private key, it is impossible to read your encrypted emails.

Alternatively, the company could employ a scheme similar to services like Lastpass, where user keys are on company servers, but the keys are encrypted on the user's PC before they arrive on company servers. That way Yahoo would only be handing over encrypted blobs that law enforcement would have to attempt to crack.

Excerpt from:
Yahoo Mail to support end-to-end PGP encryption by 2015

These 3 Chrome extensions make encryption easier for everyone

Posted on by

Thanks to the fallout from the revelations about the U.S. government's surveillance tactics, people are starting to take interest in using encryption tools for keeping email, files, and instant messaging private. Just recently, Yahoo said it would build encryption into Yahoo Mail and Google is doing something similar with Gmail.

The problem is that encryption is usually a task that only power users can handle.Email encryption, for example, has typically required a desktop email client. But who doesn't use webmail these days? That's a problem that Google and Yahoo aim to change.

But they aren't the only ones. Lately, some easy-to-use encryption tools have popped up that are very well designed and don't require you to dramatically change your usage habits.

Here's a look at three of them.

All the tools below are Chrome extensions and apps, but are also available for other platforms and browsers as noted.

Also, keep in mind we're not suggesting that these tools can be used under dangerous situations such as political oppression or revolution. Scenarios like that are way beyond the scope of this article.For the average North American hoping to keep their data private from passive government snoops, private companies, co-workers, and others, these tools should work just fine.

The Cryptocat start screen.

Cryptocat is probably the encryption tool that is easiest to use right now. This is an instant messaging program created by Montreal-based programmer Nadim Kobeissi.

You can use Cryptocat to chat with just one person or a group of people. To get started, install Cryptocat from the Chrome Web Store and then open it either from the all apps tab in Chrome or the taskbar launcher in Windows--if it's installed.

A new tab will open in Chrome. Fill out the form with a conversation name and nickname of your choosing and press connect. You now have your own encrypted chat room. To get others to join your chat just give them the conversation name and have them follow the same steps to join. Cryptocat also works with Facebook chat.

Read more:
These 3 Chrome extensions make encryption easier for everyone

Encryption Keeps Your Data Safe. Or Does It?

Posted on by

In the post-Snowden era, many people have come to believe that the only way to maintain privacy is through encrypting everything. (Well, as long as your encryption doesn't use the flawed RSA algorithm that gave the NSA a backdoor.) A fast-moving session at the Black Hat 2014 conference challenged the assumption that encryption equals safety. Thomas Ptacek, co-founder of Matasano Security, noted that "nobody who implements cryptography gets it completely right," and went on to demonstrate that fact in detail.

The Crypto Challenge This session was based on Matasano's crypto challenge, described as "a staged learning exercise where participants implemented 48 different attacks against realistic cryptographic constructions." According to Ptacek, more than 10,000 people have participated in the challenge.

How did it start? "There are people that I end up arguing with on Twitter," said Ptasek. "I want to share crypto knowledge, but I don't want to arm those people with my jargon." That was the origin of the challenge. Matasano researchers created six sets of eight challenges. To complete a set, you must successfully implement all eight challenges using the programming language of your choice. After you successfully complete one set, they'll send you the next. "To get the jargon, you have to code," explained Ptasek.

Eighth Grade Math Required You might expect that implementing and cracking various types of cryptography would require detailed knowledge of arcane mathematical disciplines. Ptasek listed five high-end topics, among them "fields, sets, and rings" and "Feistel and S-P network structure." He went on to explain that none of them are required. Most of the challenges require little more than high-school algebra, and some knowledge of coding.

Those taking the challenge submitted their work in a dizzying variety of programming languages. Some even stepped outside the realm of programming altogether. One participant submitted a solution coded as a simple Excel spreadsheet. Another solved one of the challenges using PostScript.

"There's going to be a lot of detail in this talk, and we'll talk fast," said Ptasek. "You won't walk out of this knowing how to exploit RSA, but I can show you how straightforward it is. Just let the math wash over you like the poetry of insecurity." I like that!

To Err Is Human The presentation went on to examine some specific and well-documented cryptographic blunders. One company solved the problem of encryption efficiency by setting an essential parameter to one, just one. Cryptocat, famously used by Edward Snowden, didn't go quite that that far, but by tweaking code for efficiency the developers vastly reduced the resources required to crack encrypted messages. And yes, the Cryptocat algorithm was at its worst between May 2012 and June 2013.

After a point, the session did indeed get quite technical. I did almost manage to understand a clever technique the Matasano folks devised to break RSA-encrypted credit cards. It involved submitting carefully selected numbers to the encryption server as if they were encrypted data and noting the reaction. Each number that was accepted as valid brought them closer to decrypting the text, and also narrowed the range of numbers for the next attempt. The resulting demo was a classic movie-style version of cracking encryption, with plaintext letters appearing one by one as binary bytes scrolled past.

Will You Take the Challenge? If you want to take the crypto challenge, send a note to cryptopals@matasano.com. Do note that the strict one-at-a-time rule for challenge sets has been suspended. You can now get all of the setsat once. In an announcement before the talk, Ptasek explained that "We're giving a talk about the challenges at Black Hat, and want our loyal cryptopals to see all the challenges before Black Hat ticketholders do." Going forward, the Matasano team plans a website devoted to the challenges, and even a book.

More here:
Encryption Keeps Your Data Safe. Or Does It?

Yahoo to roll out end-to-end encryption option for all Yahoo Mail users in 2015

Posted on by

Yahoo will be rolling out end-to-end encryption capabilities for all Yahoo Mail users in 2015, the company's chief information security officer, Alex Stamos, announced during a talk at the Black Hat USA conference in Las Vegas Thursday.

Electronic Frontier Foundation technologist Yan Zhu, who worked on the HTTPS Everywhere and Privacy Badger browser add-ons andserved as a core developer for the anonymous digital leaking tool SecureDrop, wasannounced as the first hire for the project.

Zhu says that over the past few years she has seen increasedinterest inaccessible end-to-end encryption products, particularly from startups.But Yahoo's established user base could, she says, help make encrypting e-mail more mainstream.The company reports havingmore than abillion Yahoo Mail users.

"Yahoo Mail has a lot of users already using it," Zhu said in an interview with The Washington Post, "and mail is pretty sticky.It does take effort for people to change their mail service, so people would prefer to use their Yahoo Mail, or Gmail, or Hotmail with encryption rather than make a new account."

End-to-end encryption creates a sort of digital tunnel between the senders and receivers of e-mails -- helping to keep the prying eyes of everyone from governments to Internet service providers and mail providers themselves from seeing the content of messages. Most major mail providers already provide SSL encryption for webmail users -- Yahoo started the practice earlier this year, afterrevelations that its lack of the encryption gave the National Security Agency greater ability to collect users' address books than from other major providers. But end-to-end encryption is more technically difficult for the average user to implement and hasn't seen as widespread adoption among major services.

Google released the first version of an extension for its Chrome browser that allows users to send end-to-end encrypted message through Gmail in June. Stamos says Yahoo intends to offerend-to-end encryption to itsYahoo webmail users in a similar way. He added that the company is working with Google to make their implementation compatible with Gmail's.

Yahoo, Stamossaid, is also working on building end-to-end encryption into theYahoo Mail mobile app. Hesaidhe hopes that capability will be released in 2015, withthe browser plugin for webmail targeted forrelease earlier that year.

Stamos says that Yahoo does not expect the move to encrypt end-to-end e-mails will have any impact to on its ability to make money from mining information for advertising purposes.

"The kind of targeting that happens in e-mail servers does not usually happen against person-to-person e-mails," he says, instead coming from commercial marketing e-mails that he says users are unlikely to chose tobe encrypted end-to-end.

Yahoo has historically been consideredbehind the curve when it came to security best practices, and the company hit a number of security and stability hiccups in the past year. But Yahoo seems to be taking a more rigorous approach to the issue since Stamos joined the company in the spring.

See the original post here:
Yahoo to roll out end-to-end encryption option for all Yahoo Mail users in 2015