Category Archives: Encryption

A Simple Plan to Impede the NSA Is Taking Hold

Posted on by

More e-mail providers are using encryption, meaning messages cant be intercepted and read by the NSA or hackers.

A year after revelations first emerged from former National Security Agency contractor Edward Snowden about mass Internet surveillance, more e-mail providers are adopting encryption, a simple change that could make it harder for spy agencies to vacuum up huge numbers of communications in transit.

In an analysis released this week, Google said 65 percent of the messages sent by Gmail users are encrypted when delivered, meaning the recipients provider also supports the encryption needed to establish a secure connection for transmission of the message. (Establishing a secure communication channel requires both e-mail providers to exchange encryption keys beforehand. Even if an e-mail provider tries to encrypt messages by default, messages will be sent in the clear to providers that do not support encryption.) Gmail has more than 425 million accounts worldwide and was an early adopter of e-mail encryption.

Only 50 percent of incoming messages are encrypted, Google says, but thats up from 27 percent on December 11, 2013. And the numbers could get even better as more providers offer encryption by default to their customers. Charlie Davis, a Comcast spokesman, says the Internet service provider is working on it and plans to gradually ramp up encryption with Gmail in the coming weeks.

There are still significant gaps: less than 1 percent of traffic to and from Gmail from Comcast and Verizon is currently encrypted, and fewer than half of e-mails from Hotmail accounts to Gmail are encrypted.

Whats more, messages are protected only in transittheres nothing to stop the NSA from reading them if it gains access to an e-mail providers servers. Even here, though, the tide may be turning: on Tuesday Google released draft source code of a tool, called End-to-End, that would secure a message from the moment it leaves one browser to the moment it arrives at anothermeaning even e-mail providers couldnt read them as they travel between two people, because they wouldnt have the keys needed to decrypt those messages.

Stephen Farrell, a computer scientist at Trinity College in Dublin and a member of the Internet Engineering Task Force, the group of engineers who maintain and upgrade the Internets protocols, says the Google data shows progress. More e-mail is being encrypted between mail servers, he says. One would hope thats a general, and good, trend.

Embarrassed by Snowdens revelations, many Silicon Valley giants are advertising increased use of encryption. Last month, Facebook reported that about 58 percent of the notification e-mails it sent out were encrypted from its systems to recipients e-mail providers.

See the original post here:
A Simple Plan to Impede the NSA Is Taking Hold

How to encrypt everything

Posted on by

Reuters

LOCK IT DOWN: It's time to get serious with your online security.

A year ago, heavy duty encryption technology was something cybersecurity professionals, privacy nuts, and the odd investigative journalist cared about. Then the Snowden leaks happened. Suddenly, we were all acutely aware of how exposed our data is to the prying eyes of spies and hackers alike. But it doesn't have to be that way.

Thanks in part to Snowden, encryption has never been as easy as it is now. And to mark the anniversary of the leaks, a consortium of companies have banded together to make it even easier. Reset the Net - a day of action for privacy and freedom, backed by the likes of Google and Mozilla, as well the Electronic Frontier Foundation (EFF) and Fight for the Future - offers instructions on how we can all avoid mass surveillance. But it also offers a Privacy Pack for the average user. It's simply a bundle of free software to help you encrypt your data and communications. You should download it right now.

Encryption doesn't require coding knowledge or maths skills, but it does demand some attention and care. The Privacy Pack is a great starting point, but if you want to cover all of your bases, there are few more things you need to do. We've put together a little guide that includes details on the software in the Privacy Pack and a little bit extra. In case you're not quite sure what encryption is or how it works, EFF's Surveillance Self-Defence site is a great place to start.

ENCRYPT YOUR PHONE

The best place to start, of course, is with your phone. After all, this is what the NSA is probably most interested in. It's also probably the device you use most, so it's in your best interest to take extra good care of it.

Before going all trigger-happy on encryption apps, the first thing you should do is secure your lockscreen. Duh.

There are a whole host of fancy security options for Android, but if you've got an iPhone, the standard four-number passcode option isn't quite enough. All you need to do to make it more secure, though, is turn off Simple Passcode in Settings which will allow you to assign a longer, alphanumeric passcode. Pro tip: Just use a string of numbers so you don't have to flip back and forth between keyboards when unlocking your phone.

Now about those apps. The main thing you want to encrypt is your communication data, and the Privacy Pack makes that very easy for Android users. Including in the bundle are TextSecure and RedPhone, two free apps made by Whisper Systems that let you send texts that are encrypted over the air and make phone calls with end-to-end encryption. Suitable free iPhone equivalents are TigerText for texting and CoverMe for phone calls. If you're willing to shell out some money for more options, check out Silent Circle's suite of mobile encryption software for both platforms for US$10 a month.

Visit link:
How to encrypt everything

Google’s Chrome Gmail encryption extension hides NSA-jabbing Easter Egg

Posted on by

Google is famous for its Easter Eggs, including web pages that do barrel rolls or blink or hide video gamesbut rarely do Google's bits of fun take a political tone. Showing just unhappy the company or at least its engineers are with the National Security Agency's surveillance activities Google included a jab at America's spooks in a new Chrome browser extension.

End-to-end's code includes a jab at the NSA.

The code for Google's upcoming email encryption extension for Chrome called End-to-End includes the words, "--SSL-added-and-removed-here-;-)."

That line's a quote from an October 2013 report detailing the NSA's efforts to tap into the internal network links of major companies such as Google and Yahoo.

Known as the MUSCULAR program, the report in the Washington Post said the NSA in cooperation with Britain's GCHQ spy agency was collecting massive amounts of data pulled directly from Google and Yahoo servers located outside the U.S.

The NSA was happily nabbing data from Google's servers. Image source: The Washington Post.

In a slide published by the Post the NSA created a quick overview sketch of how it obtains data from Google's servers. At the bottom the drawing, the NSA wrote "SSL added and removed here! :-)." The NSA was capitalizing on the fact that Google, at the time, was stripping encryption from data as it flowed from the public Internet into Google's internal network.

When two Google engineers first saw the drawing they "exploded in profanity," according to the Post.

Nearly eight months later, Google is taking its revenge or at least the company hopes it is.

Google's End-to-End extension promises to make it easier to use OpenPGP email encryption in the browser. Currently, the easiest option for email encryption is to use a mail client like Mozilla Thunderbird with the Enigmail add-on. A number of other non-Google tools aiming to make email encryption easier are also in development such as Mailvelope, Dark Mail, and Mailpile.

See more here:
Google's Chrome Gmail encryption extension hides NSA-jabbing Easter Egg

Six Clicks: Encryption for your webmail

Posted on by

It shouldn't have been any surprise at all, but Edward Snowden's leaks of NSA information have raised awareness of the fact that our data in public clouds, like Gmail, is not entirely private. The government can get a warrant for it and the cloud company can (make that "has to") give them access to all your data. Or they can spy on the internal communications of the cloud provider and not bother with the warrant.

So what can you do? For a very long time you've been able to use PGP (Pretty Good Privacy) and similar software to make encryption end-to-end, so that only you and the person with the right encryption key can see the contents. Everyone else only sees "ciphertext" which is only crackable with an inordinate amount of time and computing resources.

Yesterday Google announceda new development effort to make the use of strong, end-to-end encryption in Gmail easier to use. It's called "End-To-End" and, for now, it's just an alpha-stage programming project. It's written as a Chrome extension that usesOpenPGP.js, an open source OpenPGP implementation written in JavaScript, to run the encryption/decryption on the local computer inside the browser.

PGP has always been the gold standard for privacy in email, but notorious for poor usability. The idea of End-To-End is that by implementing PGP inside Chrome, it can be made easier to use.

One big usability barrier for PGP is that it relies on a trust model called the "web of trust," illustrated here. Everyone has to trust people specifically and keep track of who they trust and what their keys are, although they can make trust transitive by signing someone else's key: If Alice signs Bob's key, they anyone who trusts Alice will trust Bob.

If this sounds complicated, that's because it is. Can Google make it easy? If not, it may not matter.

(Image courtesyGnuTLS)

Previously on Six Clicks:

Six Clicks: How do you keep track of all your passwords?

Six clicks: How hackers use employees to break through security

See original here:
Six Clicks: Encryption for your webmail

Encryption-Deprived Email Services Criticized By Search Giant Google

Posted on by

Peter Suciu for redOrbit.com Your Universe Online

Google Inc. called out rival email providers for not providing enough encryption. Apparently those rivals took notice and have started to address the issue. The tech giants new Gmail data highlighted the rise of backbone email encryption, something that privacy advocates have said was a long-time coming.

On Tuesday Google issued a transparency report, which denoted that email should be protected as it travels across the Internet yet in most cases protected it is not. It called out the fact that while most of us prefer that only the recipient reads the email prying eyes could see it as well. This could be through so-called bad actors or through government surveillance but one thing was clear email is anything but truly private or personal.

Encrypting the emails could make a difference according to the search giant. Google compared encryption to sealed envelopes, while unencrypted emails were little more than postcards.

Gmail has always supported encryption in transit by using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can, Brandon Long, tech lead for the Gmail Delivery Team at Google, wrote on the companys official blog this week. The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail cant do it alone.

Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers arent encrypted, Long added. Many providers have turned on encryption, and others have said theyre going to, which is great news. As they do, more and more emails will be shielded from snooping.

Googles Gmail service offers encryption from the browser by using the HTTPS, something privacy advocates have called upon for some time.

For the past few years, EFF has been working on promoting the universal use of encryption for Internet protocols. We started by pushing major sites to switch from HTTP to HTTPS, and gave individual users ways to pull things along, Peter Eckersley of the Electronic Frontier Foundation wrote on the groups Deeplinks blog on Tuesday. Last November, we launched our Encrypt the Web Scorecard, which in addition to Web encryption, added a second focus on securing SMTP email transmissions between mailservers.

Eckersley added that the EFF believed this to be a vital protection against non-targeted dragnet surveillance by the US and other governments.

In the months following the scorecard ratings, calling for support for STARTTLS email encryption, the EFF said a number of major sites including Yahoo, Twitter, LinkedIn and Facebook all deployed this form of backbone email encryption.

Originally posted here:
Encryption-Deprived Email Services Criticized By Search Giant Google

Heartbleed Redux: Another Gaping Wound In Web Encryption Uncovered

Posted on by

Illustration: Ross Patton/WIRED

The internet is still reeling from the discovery of the Heartbleed vulnerability, a software flaw exposed in April that broke most implementations of the widely used encryption protocol SSL. Now, before Heartbleed has even fully healed, another major bug has ripped off the scab.

On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Webs SSL servers, issued a patch and advised sites that use its software to upgrade immediately.

The new attack, found by Japanese researcher Masashi Kikuchi, takes advantage of a portion of OpenSSLs handshake for establishing encrypted connections known as ChangeCipherSpec, allowing the attacker to force the PC and server performing the handshake to use weak keys that allows a man-in-the-middle snoop to decrypt and read the traffic.

This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes, reads an FAQ published by Kikuchis employer, the software firm Lepidum. Ashkan Soltani, a privacy researcher who has been involved in analyzing the Snowden NSA leaks for the NSA and closely tracked SSLs woes, offers this translation: Basically, as you and I are establishing a secure connection, an attacker injects a command that fools us to thinking were using a private password whereas were actually using a public one.

Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks network to the NSA to strip away your Web connections encryption before its even initialized.

According to a blog post by Kikuchi, the flaw has existed since the very first release of OpenSSL in 1998. He argues that despite the widespread dependence on the software and its recent scrutiny following the Heartbleed revelation, OpenSSLs code still hasnt received enough attention from security researchers. The biggest reason why the bug hasnt been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation, he writes. They could have detected the problem.

The revelation of the bug on the one-year anniversary of the Guardians first publication of Snowdens NSA leaks adds to that grim lesson, says security researcher Soltani. He points to efforts by privacy groups like Reset The Net that have used the Snowden revelations as inspiration to push Internet users and companies to implement more pervasive encryption. Those efforts are undermined, he points out, by the fact that some of the oldest and most widely used encryption protocols may still have fundamental flaws. There are huge efforts by companies and activists to deploy tools that add proven security, he says, quoting Reset The Nets website. Yet theres very little actual work and support of the underlying tools that are being deployed, like OpenSSL. Its pretty shameful that the core library that practically the entire internet relies on for transport security is maintained by a handful of under-resourced engineers.

Original post:
Heartbleed Redux: Another Gaping Wound In Web Encryption Uncovered

Virtual Storage Encryption Appliance secures critical workloads.

Posted on by

June 5, 2014 - CloudLink SecureVSA lets businesses moving to cloud deployments bring their own encryption to VMware vCloud Hybrid Service and renders data inaccessible to other tenants, cloud administrators, and outsiders. Without requiring any changes to workloads and applications, agentless solution addresses data privacy and regulatory compliance concerns via its security policy that automates encryption management and enables VMware customers to have exclusive control of encryption keys. AFORE Solutions Inc. 2680 Queensview Drive Ottawa, Ontario K2B 8J9 Canada Press release date: May 28, 2014

CloudLink data encryption enables customers to embrace cloud with ease and confidence

OTTAWA -- AFORE Solutions, Inc., a leader in cloud security and data encryption management, today announced availability of CloudLink SecureVSA for VMware vCloud Hybrid Service. Security and flexibility are top priorities for businesses moving to cloud deployments and CloudLink SecureVSA allows them to bring their own encryption to vCloud Hybrid Service in the form of a virtual storage encryption appliance, making data inaccessible to other tenants, cloud administrators and outsiders.

VMware and AFORE are addressing key challenges enterprises face with production cloud deployments, such as re-architecting applications, learning new tools and managing the risk of hosting sensitive data in a shared, multi-tenant environment. VMware vCloud Hybrid Service simplifies the complexity of managing hybrid cloud environments by enabling customers to seamlessly extend their private data centers to the public cloud without needing to invest in new processes or tools to support the deployment. Adding CloudLink SecureVSA addresses data privacy and regulatory compliance concerns with an advanced security policy that automates encryption management and enables VMware customers to have exclusive control of the encryption keys.

Ajay Patel, vice president of VMware vCloud Hybrid Service explains, "VMware designed the VMware vCloud Hybrid Service to offer the agility of public cloud while providing full compatibility with customers' existing data center infrastructure, making the migration easy and predictable. In a similar fashion, AFORE CloudLink addresses data privacy concerns with a hybrid cloud encryption solution that is transparent to applications and uses familiar VMware deployment and management tools."

Jonathan Reeves, AFORE Chairman and Chief Strategy Officer, underscores the importance of providing customers with powerful encryption solutions that enable them to confidently embrace cloud. "We believe VMware vCloud Hybrid Service addresses an important customer need for enterprises looking to deploy mission critical workloads in the cloud. CloudLink enables VMware customers to encrypt all data used by their virtual machines and puts them in total control of their data security."

Key benefits of CloudLink SecureVSA for VMware vCloud Hybrid Service include:

Easily deployed agentless solution requiring no changes to workloads and applications. Familiar deployment leveraging VMware tools including VMware vSphere, vCloud Director and vCloud Automation Center. Encrypt on a "per-VM" basis rather than the entire virtual data center. Flexible key management including customer controlled keys. Single encryption management plane across hybrid cloud.

AFORE CloudLink is available immediately with full solution details and free trial offers from the VMware vCloud Hybrid Service Marketplace and http://www.aforesolutions.com/vchs.

About AFORE: AFORE is a leading provider of advanced data security and encryption management solutions that protect sensitive customer information in multi-tenant private, public and hybrid clouds. AFORE CloudLink been recognized for several prestigious industry awards including the Best of VMworld Gold Award in the Security / Compliance for Virtualization category in 2013. CloudLink SecureVSA has been certified Vblock Ready by VCE to run on Vblock Infrastructure Platforms as well as EMC VSPEX lab validated. AFORE is an EMC Select Business Partner as well as an artneras a RSA luding Secure ty controls ess applications. S and scale oRSA Technology partner. For more information visit: http://www.aforesolutions.com and follow us on Twitter @aforesolutions .

See the original post:
Virtual Storage Encryption Appliance secures critical workloads.