From getting hacked by Zoombombers to selling software exploits in the Dark Web, Zoom, the video conferencing app, has probably seen it all over the past few weeks.

The software, available both on desktop and mobile, has surged in popularity ever since the Covid-19 lockdown began, and is now feeling the heat as schools and organisations have started moving away from the platform due to security concerns.

But with several million of us hunkering down at home to curb the spread of coronavirus, online collaborations with employees or students via video conferences are important to get the work done. And this brings us to the golden question which video conferencing app should we use?

Now, there are several other video calling apps you can use including Google Duo, Microsoft Skype, Microsoft Teams, AnyDesk etc and you can rank these based on their features. But features are not what we are talking about today, we are talking about their encryption models and how safe are they to use (which is more important than anything right now).

So, to answer this Hindustan Times Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus.

But before we tell you what the experts said, here's a brief about what encryption really means. In simple terms, encryption encodes the information sent from one party and decodes it when it reaches the recipient. This prevents the possibility of infiltration, making video calling and messaging secure. However, how well this system can work depends on the level of encryption that firms, in this case the video calling apps, use.

As explained by Saket Modi, co-founder and CEO of Lucideus, there are three encryption standards: 128-bit encryption, 192-bit encryption and the 256-bit encryption, which is also the most difficult level of encryption to crack. Many have been using AES (Advanced Encryption System) with 256-bit for improved security as well. For instance, all your banking applications use 256-bit encryption. However, when it comes to video calling, there are two main kinds of encryption methods end-to-end encryption and TLS 1.2.

TLS (Transport Layer Security), as the name suggests, ensures secure delivery of data over the Internet between two applications. It however, does not secure data on the end systems (your smartphones and your computers).

So, what encryption platform is Zoom using?

As mentioned by Zoom in its support page, the TLS 1.2 with AES 256-bit algorithm is only used for the desktop clients right now. However, "for dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's datacentre and is transferred to the participant's phone network," says Zoom.

What's worth adding is that while Zoom did mention it uses end-to-end encryption before for all calls, it never actually did. The firm even apologised for it later in a blog post and even faced a class-action lawsuit for overstating privacy standards and not disclosing that its service was not end-to-end encrypted.

What about the alternatives?

When we asked Microsoft about Skype's encryption model, the Redmond-based tech firm said that it "does not store any Skype video or audio calls, and chat messages are stored to enable sync across devices, but can be deleted".

The representative even pointed us towards the Skype support page that duly mentions the use of AES (Advanced Encryption Standard) "which is used by the US Government to protect sensitive information, and Skype has for some time always used the strong 256-bit encryption".

While for instant messages, Microsoft uses TLS to encrypt messages between Skype and other chat services that are based on Microsoft's cloud. However, it uses AES when the messages are sent between two Skype clients.

The spokesperson added that Skype has seen a growth over the past one month. "Skype has seen an increase in usage, with 40 million people using it daily, up 70% month over month and, we are seeing a 220% increase in Skype to Skype calling minutes month over month."

AnyDesk, another team collaboration app, confirmed to HT Tech that it uses TLS 1.2 encryption platform. "In addition to that, we use 2048bit RSA (standard cryptographic algorithm) or 256bit Elliptic curve DH asymmetric key exchange and AEAD to verify every single connection. The combination of TLS 1.2 and 2048bit RSA or 256bit Elliptic key exchanges mean that each connection is wrapped in multiple layers of security."

The firm adds that if any modification is detected in the connection signal, the connection drops automatically, which makes it difficult for man-in-the-middle attacks, something Zoom has witnessed thanks to Zoombombers and Zoom raiders.

AnyDesk claims that it has seen an increase of 200-500% in usage in certain regions across the world.

When HT Tech asked the Google Duoteam about the encryption platform they use, the team had no comments but pointed us towards one of their support pages. Although the page did say that Duo uses end-to-end encryption for all video and audio calls, it failed to provide details on the standards that are being used.

But, should you use Zoom or not? Lucideus CEO Saket Modi pointed out that although the firm has been transparent about the loopholes lately and has started making the platform more secure, it is still not recommended given its track record.

But in case you are already using Zoom, and still have to use it, the security protocols must be enabled. The Hindustan Times (New Delhi)/Tribune News Service

Read the original:
Zoom hack: What about the encryption models used by Microsoft, Google, and AnyDesk? - The Star Online

Last updated on April 19, 2020

From becoming hacked by Zoombombers to promoting applications exploits from the Dark Internet, Zoom, the video conferencing program, has likely seen it throughout the last couple of weeks. The software, that is accessible both on desktop computers and mobile, has surged in popularity since the COVID-19 lockdown started, and is now feeling the heat since organizations and schools have begun moving away in the platform because of safety issues.

But with a few million people hunkering down in your home to suppress the spread of coronavirus, online collaborations with students or employees through video conferences are all important for the job done. And that brings us into the gold question that video conferencing program if we use?

But features arent what were speaking about now, were discussing their encryption versions and how secure are they to use (that can be more significant than anything else right now).

Thus, to answer that HT Tech touch base with Microsoft, Google, Anydesk and talked to the CEO of cybersecurity company Lucideus.

However, before we tell you exactly what the specialists said, here is a short about what encryption means. Encryption encodes the data delivered from 1 party and decodes it as it reaches the receiver. This prevents the chance of infiltration, producing video calling and calling protected. But how well this system may work is contingent upon the degree of encryption which companies, in this instance the video calling programs, use.

For example, all of your banking programs utilize 256-bit encryption.

TLS (Transport Layer Security), as its name implies, guarantees secure delivery of information on the net between two programs. It does not secure data on the finish programs (your smartphones along with your computers ).

As stated by Zoom in its service page, the TLS 1.2 using the AES 256-bit algorithm is just used for the desktop customers at the moment. Butto get dial-in participants connecting by telephone, the sound is encrypted before it renders Zooms data center and is moved to the players phone system, states Zoom.

What is well worth is that while Zoom did cite it utilizes end-to-end encryption before for many of calls, it never really did. The company even apologized to it afterward in a blog article and maybe even confronted a class-action lawsuit for overstating privacy criteria rather than revealing that its support wasnt end-to-end encrypted.

After we asked Microsoft about Skype encryption version, the Redmond-based tech company stated that itdoesnt save any Skype audio or video calls, and chat messages have been saved to allow sync over devices, but maybe deleted.

The agent pointed towards the Skype service page that mentions the usage of AES (Advanced Encryption Standard) that is utilized by the US Government to safeguard sensitive data, and Skype has for a while consistently utilized the powerful 256-bit encryption.

But, it utilizes AES once the messages are routed between two Skype customers.

The spokesperson added that Skype has witnessed a rise over the previous month. Skype has witnessed a rise in use, with 40 million people using it every day up 70% over the month and, were seeing with a 220% increase in Skype to Skype calling seconds month .

AnyDesk, yet another team cooperation program, supported to HT Tech it uses TLS 1.2 encryption system. The blend of both TLS 1.2 and 2048bit RSA or 256bit Elliptic important exchanges means that every link is wrapped in many layers of safety.

The company adds that when any alteration is detected from the link sign, the link drops automatically, making it hard for man-in-the-middle strikes, and something Zoom has seen thanks to Zoombombers along with Zoom raiders.

AnyDesk asserts it has seen a rise of 200-500percent in use in certain areas throughout the world.

When HT Tech requested the Google Duo team concerning the security system that they use, the staff had no remarks but directed us towards among the service pages. Even though the webpage did state that Duo utilizes end-to-end encryption for all audio and video calls, it neglected to provide details regarding the criteria that are used.

However, in case you use compressed or maybe not? Lucideus CEO Saket Modi pointed out that even though the company was clear about the loopholes recently and has begun making the system more secure, its still not recommended given its history.

However, in the event youre already utilizing Zoom, and have to use it, then the safety protocols have to be permitted. Weve mentioned a couple of tips here about how you can make Zoom phoning more protected.

Read more:
Zoom hackWe asked Microsoft, Google, AnyDesk in their encryption Versions | - KEYC TV

April 15, 2020Alex Woodie

Customers running IBM i 7.3 got some good news on the security front when IBM announced that the operating system would get support for the latest Transport Layer Security (TLS) protocol, version 1.3. And thats not the only security-related enhancement this group of users received with the new Technology Refreshes.

Last year, IBM gave IBM i shops the ability to use TLS 1.3, which is strongest publicly available encryption protocol used on the Internet today. TLS 1.3 debuted in the summer of 2018 and has since been adopted by nearly a quarter of sites on the Web, according to surveys. Its faster than TLS 1.2, but more importantly, TLS 1.3 is more secure, as it eliminated security ciphers that posed a security vulnerability of their own.

However, IBM i customers had to move to the latest release of the operating system, IBM i version 7.4, to get TLS 1.3. IBM remedied that situation with this weeks introduction of IBM i 7.3 TR8, which adds support for TLS 1.3 in that version of the operating system.

In a COMMON Webcast yesterday announcing the new TRs, IBM i Chief Architect Steve Will acknowledged that IBM was aware of the security shortcoming in IBM i version 7.3 when it shipped 7.4 last year. That support [for TLS 1.3] was put into 7.4, but we knew at the time that putting it into 7.4 was not going to be sufficient, he said.

IBM i 7.3 is still used by 50 percent of the installed base, according to the 2020 version of HelpSystems Marketplace Survey, compared to just 4 percent on IBM i 7.4. Those numbers have surely narrowed, as HelpSystems conducted the survey last fall and many undoubtedly have upgraded since then. But IBM i 7.3 will likely have a significant number of users for years to come, so it behooved IBM to make it as secure as possible.

HelpSystems Marketplace Survey

IBM i shops arent always the most security conscious, as weve come to learn. But IBM clearly understood the importance of adding support for the latest encryption technology to a mainstream and fully supported release of a server operating system that would be around for years.

TLS 1.3, which took 10 years to develop, will eventually replace TLS 1.2, just as TLS replaced Secure Sockets Layer (SSL) technology before that. Nobody is saying TLS 1.2 is unsafe to use (yet), but TLS 1.3 clearly is the encryption technology that forward-looking, security-conscious firms use today.

The key is that all of the support that you might want to talk to the [TLS] 1.2 partners that you have or the [TLS] 1.3 partners that you have are now part of our two most recent releases, 7.4 and 7.3, Will said in the COMMON webcast. Therefore, you can get all the necessary TLS 1.3 attributes. All of that is available to you through the standard mechanism for configuring and for getting information out of IBM.

Companies that use *OPSYS will automatically be presented with the option to use the new TLS 1.3 ciphers, Will said. Those shops that use other mechanisms for managing their SSL/TLS connections will need to manually make the change when IBM i 7.3 TR8 becomes available on May 15.

We also added the system value support back in so that you could identify on your 7.3 system that you wanted to use TLS 1.3 where possible, Will said. In this case, demonstrator need to explicitly add the new values unless they were already using the *OPSYS for the SSL/[TLS] control.

TLS 1.3 is the strongest publicly available encryption for data exchange over the Internet.

IBM also bolstered its support for TLS 1.2 in IBM i 7.4. The cryptographic community has made some changes to TLS 1.2 (which debuted way back in 2008) that will solidify its use going forward. Specifically, it added a handful of new cipher suites, including more elliptic curve algorithms for key exchanges. IBM added support for these TLS 1.2 enhancements with IBM i 7.4 TR1 last fall, and now its giving IBM i 7.3 customers the same support.

Supporting these TLS 1.2 enhancements ensures that IBM i customers can continue exchanging data with their trading partners in an unimpeded manner, Will said.

While most of our clients will want to move to 1.3, they need a partner conversation that can also do 1.2, he said. If youre dealing with somebody who is using 1.2 and hasnt moved to 1.3 yet, you may still want to do things that are stronger in their encryption and so on. TLS 1.2 has some enhancements for that. We put those in 7.4. And now they are also in 7.3.

This situation is similar to what IBM faced back in 2017, when a handful of IBM i 7.1 users were clamoring for IBM to add support for new SSL/TLS ciphers specifically, the elliptic curve encryption algorithms to that operating system.

At that time, IBM i customers were being turned down by their trading partners because they werent using the latest, greatest ciphers, which eliminated their ability to use standard Internet techniques to exchange data. IBM i 7.1 was still supported at the time, but both IBM i 7.2 and IBM i 7.3 were already out. IBM i 7.1 was nearing the end of its (very long) life, and IBM did not want to give these customers any more reason to stay on that release, so it didnt add those new ciphers to 7.1.

However, there is one key difference between IBMs TLS support now and back in 2017: IBM i 7.3 is expected to be around for quite a while (although IBM i 7.2 will be pulled from marketing at the end of April of this year and will be pulled from mainstream support at the end of April 2021). Getting TLS 1.3 running on IBM i 7.3, therefore, was a priority for IBM.

The new Digital Certificate Manager (DCM) interface that IBM introduced with IBM i 7.4 has also been added to 7.3. According to Will, the new GUI interface for DCM was received very positively by customers.

But what we found was as people were introduced to this new interface on 7.4, they said Absolutely this is what we wanted. Now make it available to 7.3 because Im managing multiple systems as well, Will said. You can use the original one if it take you a little time to learn the new one. But what were finding is that its relatively straightforward . . . The ability to see certificates that are close to expirations so that you can act on them its so much easier in this new interface, so youll want to take a look at that.

Heres Whats In the Latest IBM i Technology Refreshes

How IBM i 7.4 Improves Security

Lack Of Ciphers In IBM i 7.1 Raises Concern

See the original post:
IBM i 7.3 Encryption Bolstered With TR8 - IT Jungle

Microsoft Corporation

Encryption Software Market: Competitive Landscape

The last chapter of the Encryption Software market research report focuses exclusively on the competitive landscape. It examines the main market players. In addition to a brief overview of the business, analysts provide information on their assessment and development. The list of important products in preparation is also mentioned. The competitive landscape is analyzed by understanding the companies strategies and the initiatives they have taken in recent years to overcome intense competition.

Encryption Software Market: Drivers and Restraints

The report explains the drivers of the future of the Encryption Software market. It assesses the different forces which should have a positive impact on the whole market. Analysts have looked at investments in research and development for products and technologies, which should give players a significant boost. In addition, the researchers undertook an analysis of the evolution of consumer behavior which should have an impact on the cycles of supply and demand in the Encryption Software market. In this research report, changes in per capita income, improvement in the economic situation and emerging trends were examined.

The research report also explains the potential restrictions on the Encryption Software market. The aspects assessed are likely to hamper market growth in the near future. In addition to this assessment, it offers a list of opportunities that could prove lucrative for the entire market. Analysts offer solutions to turn threats and restrictions into successful opportunities in the years to come.

Encryption Software Market: Regional Segmentation

In the following chapters, analysts have examined the regional segments of the Encryption Software market. This gives readers a deeper insight into the global market and allows for a closer look at the elements that could determine its evolution. Countless regional aspects, such as the effects of culture, environment and government policies, which affect regional markets are highlighted.

Ask for Discount @ https://www.verifiedmarketresearch.com/ask-for-discount/?rid=1826&utm_source=COD&utm_medium=007

What will the report contain?

Market Dynamics: The report contains important information on influencing factors, market drivers, challenges, opportunities and market trends as part of the market dynamics.

Global Market Forecast: Readers receive production and sales forecasts for the Encryption Software market, production and consumption forecasts for regional markets, production, sales and price forecasts for the Encryption Software market by type and consumption forecasts for the Encryption Software market per application.

Regional Market Analysis: It can be divided into two different sections: one for the analysis of regional production and one for the analysis of regional consumption. Here, analysts share gross margin, prices, sales, production, CAGR, and other factors that indicate the growth of all regional markets examined in the report.

Market Competition: In this section, the report provides information on the situation and trends of competition, including mergers and acquisitions and expansion, the market shares of the three or five main players and the concentration of the market. Readers could also get the production, revenue, and average price shares of manufacturers.

Key Players: The report provides company profiles for a decent number of leading players in the Encryption Software market. It shows your current and future market growth taking into account price, gross margin, income, production, service areas, production locations and other factors.

Complete Report is Available @ https://www.verifiedmarketresearch.com/product/global-encryption-software-market-size-and-forecast-to-2025/?utm_source=COD&utm_medium=007

We also offer customization on reports based on specific client requirement:

1- Free country level analysis for any 5 countries of your choice.

2- Free Competitive analysis of any market players.

3- Free 40 analyst hours to cover any other data points

About us:

Verified market research partners with the customer and offer an insight into strategic and growth analyzes, Data necessary to achieve corporate goals and objectives. Our core values are trust, integrity and authenticity for our customers.

Analysts with a high level of expertise in data collection and governance use industrial techniques to collect and analyze data in all phases. Our analysts are trained to combine modern data collection techniques, superior research methodology, expertise and years of collective experience to produce informative and accurate research reports.

Contact us:

Mr. Edwyne FernandesCall: +1 (650) 781 4080Email: [emailprotected]

Get Our Trending Report

https://www.marketresearchblogs.com/cellular-m2m-market-size-growth-analysis-opportunities-business-outlook-and-forecast-to-2026/

Tags: Encryption Software Market Size, Encryption Software Market Trends, Encryption Software Market Forecast, Encryption Software Market Growth, Encryption Software Market Analysis

See the original post here:
Encryption Software Market 2020 Break Down by Top Companies, Applications, Challenges, Opportunities and Forecast 2026 Cole Reports - Cole of Duty

The recent report on Encryption Key Management market thoroughly analyzes the industry sphere with key emphasis on consumption and production. With respect to consumption, the report entails details about volume share and valuation, while deciphering the price trends over the forecast period. Information regarding import and export patterns across various geographies is provided in the report.

The Latest Research Report on Encryption Key Management Market size | Industry Segment by Applications (SMBs andLarge Enterprises), by Type (Standards-based key management,KMIP,Non-KMIP-compliant key management andOther), Regional Outlook, Market Demand, Latest Trends, Encryption Key Management Industry Share, Research Growth Forecast & Revenue by Manufacturers, The Leading Company Profiles, Growth Forecasts 2026.

Request Sample Copy of this Report @ https://www.aeresearch.net/request-sample/161654

Speaking of production, the study discusses the manufacturing of product, raw material procurement cost, and profit margins amassed by the key Encryption Key Management market players, along with variations in unit cost offered by these manufacturers in several regions. More importantly, the report encompasses a detailed projection about the consumption and production patterns displayed by the Encryption Key Management market in the upcoming years.

A summary of regional outlook:

An overview of the product spectrum:

A brief summary of application topography:

An insight into the competitive terrain:

To conclude, the report analyzes the Encryption Key Management market by multiple categorizations to offer concise information about the industry including the downstream buyers, upstream raw materials, and distribution channels. Details regarding market challenges, along with global trends, drivers and growth prospects that will influence market growth are stated, to facilitate the shareholders to gain deeper understanding the Encryption Key Management market.

Objectives of the Global Encryption Key Management Industry Research Report: Forecast to 2026:

Request Customization on This Report @ https://www.aeresearch.net/request-for-customization/161654

More here:
Encryption Key Management Market Rising Trends and Technology 2020 to 2025 - News by aeresearch

Encryption is always a hot topic. Everyone wants it to keep their data private. Governments want it but also want a backdoor into it so that they can see everything when it suits them, even if nobody trusts them to keep the backdoor secure.

A bigger problem, however, is that encryption of data is never as the industry describes. Data is constantly decrypted as it is used, which opens up all sorts of ways that it can be stolen. The security industry fears that the closer we get to quantum computing, the closer we get to all encryption being broken.

A few months ago, Enterprise Times talked with Simon Bain who was, at the time, CTO of ShieldIO. Bain told us: Currently, encryption will be broken at some point in the next four to five years. Its not going to need quantum to do it. It just needs some clever bugger to go out and actually look at it and say, oh, theres a pattern there. Because the whole universe is made a pattern. There is no such thing as random.

ShieldIO provides encryption of data using a technique called homomorphic encryption. Bain said: Its incredibly simple in terms of what it means. Its the ability to work on data, keep it encrypted and get back a Boolean true or false. There are a lot of companies working on it, but it is not simple.

In this podcast, Bain talks about the challenges with encryption and what homomorphic encryption can add. He also explains why ShieldIO wrote its own libraries due to the limitations of those that are publicly available.

To hear more of what Bain had to say, listen to the podcast.

obtain it, for Android devices fromplay.google.com/music/podcasts

use the Enterprise Timespage on Stitcher

use theEnterprise Times page on Podchaser

listen to the Enterprise Times channel on Soundcloud

listen to the podcast (below) ordownload the podcast to your local device and then listen there

See the original post here:
Encryption will be broken in the next four to five years - - Enterprise Times

Are you using Zoom yet? It seems that everyone in America who's been forced to work, or do schoolwork, from home during the coronavirus lockdown is using the video-conferencing platform for meetings, classes and even social gatherings.

There are good reasons Zoom has taken off and other platforms haven't. Zoom is easy to set up, easy to use and lets up to 100 people join a meeting for free. It just works.

But there's a downside. Zoom's ease of use has made it easy for troublemakers to "bomb" open Zoom meetings. Information-security professionals say Zoom's security has left a lot of holes open, although it's getting better.

There's also been a lot of scrutiny about Zoom's privacy policy, which until recently seemed to give Zoom the right to do whatever it saw fit with any user's personal data.

That's created a backlash against Zoom. On April 6, New York City public schools moved to ban Zoom meetings, and other school systems did the same, although Singapore now seems to be reversing its ban on Zoom for distance-learning.

With this ton of issues, people are looking for other options, so check out our Skype vs Zoom face-off to see how an old video app has adapted for video conferencing. We've also compared Zoom vs Google Hangouts as well.

Does all this mean that Zoom is unsafe to use? No.

Unless you're discussing state or corporate secrets, or disclosing personal health information to a patient, Zoom should be fine to use. Just ask that meeting participants sign in with a password.

For school classes, after-work get-togethers, or even workplace meetings that stick to routine business, there's not much risk in using Zoom. Kids will probably continue to flock to it, as they can even use Snapchat filters on Zoom.

You just need to be aware that the Zoom software creates a huge "attack surface," as security professionals like to say, and that hackers are going to try to come at it every way they can. They're already registering lots of Zoom-related phony domains and developing Zoom-themed malware.

The upside is that if lots of flaws in Zoom are found now and fixed soon, then Zoom will be the better -- and safer -- for it.

"Zoom will soon be the most secure conferencing tool out there," wrote tech journalist Kim Zetter on Twitter April 1. "But too bad they didn't save themselves some grief and engage in some security assessments of their own to avoid this trial by fire."

In a blog post April 1, Zoom CEO and founder Eric S. Yuan acknowledged Zoom's growing pains and pledged that regular development of the Zoom platform would be put on hold while the company worked to fix security and privacy issues.

"We recognize that we have fallen short of the community's -- and our own -- privacy and security expectations," Yuan wrote, explaining that Zoom had been developed for large businesses with in-house IT staffers who could set up and run the software.

"We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived," he said. "These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones."

To deal with these issues, Yuan wrote, Zoom would be "enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues."

Among other things, Zoom would also be "conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases."

Zoom now requires passwords by default for most Zoom meetings, although meetings hosts can turn that feature off. Passwords are the easiest way to stop Zoom bombing.

And on April 8, former Facebook and Yahoo chief security officer Alex Stamos said he would be working with Zoom to improve its security and privacy. Stamos is now an adjunct professor at Stanford and is highly regarded within the information-security community.

To keep ourselves (and you) sane, we're putting the most recent Zoom privacy and security issues up top and separating the problems into those that are open or unresolved, those that have been resolved and those that don't fit into either category.

Zoom-meeting video recordings saved on Zoom's cloud servers can be easily discovered and often viewed, a security researcher told Cnet.

Phil Guimond noticed that online recordings of Zoom meetings have a predictable URL structure and are thus easy to find. (The Washington Post reported last week on a similar issue with Zoom recordings that had been uploaded by users to third-party cloud servers. In those cases, the file names of meeting recordings followed a predictable pattern.)

Until Zoom pushed out a series of updates this past Tuesday, Zoom meeting recordings were not required to be password-protected.

Guimond built a simple tool that automatically searches for Zoom meeting recordings and tries to open them.

If a meeting has a password, his tool tries to brute-force access by running through millions of possible passwords. If a meeting recording is viewable, so is the Zoom meeting ID, and the attacker might be able to access future recurring meetings.

To defeat Guimond's automated tool, Zoom added a Captcha challenge, which forces the would-be meeting-recording watcher to prove they're a human. But, Guimond said, the URL pattern is still the same, and attackers could still try to open each generated result manually.

STATUS: Mitigated with additional obstacles against attack, but not really fixed.

Zoom announced it was hiring Luta Security, a consulting firm headed by Katie Moussouris, to revamp Zoom's "bug bounty" program, which pays hackers to find software flaws.

Moussouris set up the first bug-bounty programs at Microsoft and the Pentagon. In her own blog post, she announced that Zoom was bringing in other well-regarded information-security firms and researchers to improve its security.

In its weekly webinar, according to ZDNet, Zoom also said it would also let meeting hosts report abusive users, and newly hired security consultant Alex Stamos said Zoom would be switching to a more robust encryption standard after Zoom's existing encryption was found to be lacking.

In other news, a congressman has complained that a congressional briefing held over Zoom on April 3 was "zoom-bombed" at least three times.

The head of Standard Chartered, a London-based multinational bank, has warned employees to nut use Zoom or Google Hangouts for remote meetings, citing security concerns, according to Reuters.

Standard Chartered primarily uses the rival Blue Jeans video-conferencing platform, according to two bank staffers who spoke anonymously.

Last year, Standard Chartered agreed to pay British and American regulators $1.1 billion after admitting the bank violated trade sanctions on Iran.

Hackers are apparently offering to sell two "zero-day" exploits in Zoom to the highest bidder, Vice reports.

Zero-days are hacks that take advantage of vulnerabilities the software maker doesn't know about, and which users have little or no defense against.

Sources who told Vice about the zero-days said one exploit is for Windows and lets a remote attacker get full control of a target's computer. The catch is that the attacker and the target have to be on the same Zoom call. Its asking price is $500,000.

"I think it's just kids who hope to make a bang," one unnamed source told Vice.

The other zero-day is said to be for macOS and to be less serious.

STATUS: Apparently unfixed.

Zoom announced April 13 that users of paid Zoom accounts would be able to choose through which region of the world their data would be routed: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America or the United States.

This is a reaction to the discovery earlier in April that many Zoom meetings hosted by and involving U.S. residents had been routed through servers based in China, a country that retains the right to see anything happening on a domestically located server without a warrant.

Users of Zoom's free service will have their data handled only by servers in their regions.

Usernames and passwords for more than 500,000 Zoom accounts are being sold or given away in criminal marketplaces.

These accounts were not compromised as the result of a Zoom data breach, but instead through credential stuffing. That's when criminals try to unlock accounts by re-using credentials from accounts compromised in previous data breaches. It works only if an account holder uses the same password for more than one account.

STATUS: Unknown, but this isn't Zoom's fault.

A Kurdish security researcher said Zoom had paid him a bug bounty -- a reward for finding a serious flaw -- after he discovered and privately reported a way for anyone to easily hijack any existing Zoom account if the account email address was known or successfully guessed.

The researcher, who calls himself "s3c" but whose real name may be Yusuf Abdulla, described how if he tried to log into the Zoom website with a Facebook account, Zoom would ask for the email address associated with that Facebook account. Then Zoom would open a new webpage notifying him that a confirmation email message had been sent to that email address.

The URL of the notification webpage would have a unique identification tag in the address bar. As an example that's much shorter than the real thing, let's say it's "zoom.com/signup/123456XYZ".

When s3c received and opened the confirmation email message sent by Zoom, he clicked on the confirmation button in the body of the message. This took him to yet another webpage that confirmed his email address was now associated with a new account. So far, so good.

But then s3c noticed that the unique identification tag in the Zoom confirmation webpage's URL was identical to the first ID tag. Let's use the example "zoom.com/confirmation/123456XYZ".

The matching ID tags, one used before confirmation and the other after confirmation, meant that s3c could have avoided receiving the confirmation email, and clicking on the confirmation button, altogether.

In fact, he could have entered ANY email address -- yours, mine or billgates@gmail.com -- into the original signup form. Then he could have copied the ID tag from the resulting Zoom notification page and pasted the ID tag into an already existing Zoom account-confirmation page.

Boom, he'd have access to any Zoom account created using the targeted email address.

"Even if you already linked your account with a Facebook account Zoom automatically unlink it and link it with the attacker Facebook account," s3c wrote in his imperfect English.

And because Zoom lets anyone using a company email address view all other users signed up with the same email domain, e.g. "company.com", s3c could have leveraged this method to steal ALL of a given company's Zoom accounts.

"So if an attacker create an account with email address attacker@companyname.com and verify it with this bug," s3c wrote, "the attacker can view all emails that created with *@companyname.com in Zoom app in Company contacts so that means the attacker can hack all accounts of the company."

Zoom is fortunate that s3c is one of the good guys and didn't disclose this flaw publicly before Zoom could fix it. But it's such a simple flaw that it's hard to imagine no one else noticed it before.

STATUS: Fixed, thank God.

Researchers from IngSights discovered a set of 2,300 Zoom login credentials being shared in a criminal online forum.

"Aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others," IntSight's Etay Maor wrote in a blog post April 10.

"While some of the accounts 'only' included an email and password, others included meeting IDs, names and host keys," Maor wrote.

Maor told Threatpost it didn't seem like the credentials came from a Zoom data breach, given their relatively small number. He theorized that they came from "small lists and databases kept by other companies/agencies."

It's also possible that some of the credentials were the result of "credential stuffing." That's the (largely) automated process by which criminals try to log into websites by cycling through likely email addresses and likely passwords, and then harvest whatever yields a positive result.

STATUS: Unknown. This likely isn't a Zoom issue per se.

In an "ask me anything" webinar earlier this week, Zoom CEO Eric S. Yuan said that Zoom had discovered "a potential security vulnerability with file sharing, so we disabled that feature."

Until this week, participants in a Zoom meeting could share files with each other using the meeting's chat function.

STATUS: Fixed.

Zoom has released updates for its Windows, macOS and Linux desktop client software so that meeting IDs will not display onscreen during meetings. British Prime Minister Boris Johnson last week accidentally displayed a Zoom meeting ID in a tweet, and the Belgian cabinet made a similar mistake.

BuzzFeed News reported that Google had banned Zoom from company-owned laptops, the Financial Times reported that the U.S. Senate had advised members and staffers to avoid Zoom, and the German newspaper Handelsblatt said that country's foreign ministry had also asked its staff to stop using Zoom.

However, it's worth keeping in mind that Google has its own videoconferencing application built into its G Suite software for enterprises.

Taiwan's government has banned the use of Zoom for government meetings and for school use, citing "security or privacy concerns." The memo announcing the government ban did not get more specific about the reasons, but last weekend it emerged that some Zoom meetings were being routed through mainland Chinese servers.

Information-security researchers know of several Zoom "zero-day" exploits, according to Vice, which couldn't get anyone to go on the record for its story. Zero-days are exploits for software vulnerabilities that the software maker doesn't know about and hasn't fixed, and hence has "zero days" to prepare before the exploits appear.

However, one Vice source implied that other video-conferencing solutions also had security flaws. Another source said that Zoom zero-days weren't selling for much money due to lack of demand.

Along those lines, Kaspersky researchers said they had found more than 500 suspicious files that pretended to be Zoom-related. Not all the files were malicious, and those that were installed adware, not full-on malware.

Other phony files mimicked WebEx, GoToMeeting and Slack, but by far the biggest target among video-conferencing platforms was Skype. The researchers found 120,000 suspicious files with Skype attributes.

Criminals are trading compromised Zoom accounts on the "dark web," Yahoo News reported.

This information apparently came from Israeli cybersecurity firm Sixgill (not to be confused with an American firm of the same name), which specializes in monitoring underground online-criminal activity. We weren't able to find any mention of the findings on the Sixgill website.

Sixgill told Yahoo it had spotted 352 compromised Zoom accounts that included meeting IDs, email addresses, passwords and host keys. Some of the accounts belonged to schools, and one each to a small business and a large healthcare provider, but most were personal.

STATUS: Not really a bug, but definitely worth worrying about. If you have a Zoom account, make sure its password isn't the same as the password for any other account you have.

Researchers at Trend Micro discovered a version of the Zoom installer that has been bundled with cryptocurrency-mining malware, i.e. a coin-miner.

The Zoom installer will put Zoom version 4.4.0.0 on your Windows PC, but it comes with a coin-miner that Trend Micro has given the catchy name Trojan.Win32.MOOZ.THCCABO. (By the way, the latest Zoom client software for Windows is up to version 4.6.9, and you should get it only from here.)

The coin-miner will ramp up your PC's central processor unit, and its graphics card if there is one, to solve mathematical problems in order to generate new units of cryptocurrency. You'll notice this if you fans suddenly speed up or if Windows Task Manager (hit Ctrl + Shift + Esc) shows unexpectedly heavy CPU/GPU use.

To avoid getting hit with this malware, make sure you're running one of the best antivirus programs, and don't click on any links in emails, social media posts or pop-up messages that promise to install Zoom on your machine.

STATUS: Open, but this isn't Zoom's problem to fix. It can't stop other people from copying and redistributing its installation software.

Not only does Zoom mislead users about its "end-to-end encryption" (see further down), but its seems to be flat-out, um, not telling the truth about the quality of its encryption algorithm.

Zoom says it use AES-256 encryption to encode video and audio data traveling between Zoom servers and Zoom clients (i.e., you and me). But researchers at the Citizen Lab at the University of Toronto, in a report posted April 3, found that Zoom actually uses the somewhat weaker AES-128 algorithm.

Even worse, Zoom uses an in-house implementation of encryption algorithm that preserves patterns from the original file. It's as if someone drew a red circle on a gray wall, and then a censor painted over the red circle with a while circle. You're not seeing the original message, but the shape is still there.

"We discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality," the Citizen Lab report says, such as "governments worried about espionage, businesses concerned about cybercrime and industrial espionage, healthcare providers handling sensitive patient information" and "activists, lawyers, and journalists working on sensitive topics."

STATUS: Unresolved. In a blog post April 3, Zoom CEO Eric S. Yuan acknowledged the encryption issue but said only that "we recognize that we can do better with our encryption design" and "we expect to have more to share on this front in the coming days."

Good software has built-in anti-tampering mechanisms to make sure that applications don't run code that's been altered by a third party.

Zoom has such anti-tampering mechanisms in place, which is good. But those anti-tampering mechanisms themselves are not protected from tampering, said a British computer student who calls himself "Lloyd" in a blog post April 3.

Needless to say, that's bad. Lloyd showed how Zoom's anti-tampering mechanism can easily be disabled, or even replaced with a malicious version that hijacks the application.

If you're reading this with a working knowledge of how Windows software works, this is a pretty damning passage: "This DLL can be trivially unloaded, rendering the anti-tampering mechanism null and void. The DLL is not pinned, meaning an attacker from a 3rd party process could simply inject a remote thread."

In other words, malware already present on a computer could use Zoom's own anti-tampering mechanism to tamper with Zoom. Criminals could also create fully working versions of Zoom that have been altered to perform malicious acts.

STATUS: Unresolved.

Anyone can "bomb" a public Zoom meeting if they know the meeting number, and then use the file-share photo to post shocking images, or make annoying sounds in the audio. The FBI even warned about it a few days ago.

The host of the Zoom meeting can mute or even kick out troublemakers, but they can come right back with new user IDs. The best way to avoid Zoom bombing is to not share Zoom meeting numbers with anyone but the intended participants. You can also require participants to use a password to log into the meeting.

On April 3, the U.S. Attorney's Office for the Eastern District of Michigan said that "anyone who hacks into a teleconference can be charged with state or federal crimes." It's not clear whether that applies only to eastern Michigan.

STATUS: There are easy ways to avoid Zoom bombing, which we go through here.

Excerpt from:
Zoom privacy and security issues: Here's everything that's wrong (so far) - Tom's Guide

The research report on Database Encryption market offers a detailed assessment of this industry vertical, with respect to its various market segments. The study details the entire market scenario by outlining the present position and industry size, based on volume and revenue. The study also highlights important insights of the geographical landscape along with the major participants in the Database Encryption market.

This market study covers the global and regional market with detailed analysis of the overall development prospects in the market. Moreover, it sheds light on the comprehensive competitive landscape of the global market. The report further offers a dashboard overview of topmost companies including their successful marketing strategies, market contribution, recent developments in both historic and present contexts. The report offers a detailed evaluation of the market by highlighting information on different aspects which include drivers, restraints, opportunities, and threats. This information can help stakeholders to make appropriate decisions before investing.

Database Encryption Market 2020-2025 describes a detailed evaluation and proficient study on the current and future state of the Database Encryption market across the globe. Database Encryption Market offers information regarding the developing opportunities in the market and the market drivers, trends and upcoming technologies that will increase these development trends.

Request Sample Copy of this Report @ https://www.express-journal.com/request-sample/53886

Database Encryption Market Segment by Manufacturers includes:

By Types, the Database Encryption Market can be Split into:

By Applications, the Database Encryption Market can be Split into:

This report focuses on the Database Encryption in global market, especially in

Global Database Encryption Market has been exhibited in detail in the following chapters

Chapter 1. Database Encryption Market Preface

Chapter 2. Executive Summary

Chapter 3. Database Encryption Industry Analysis

Chapter 4. Database Encryption Market Value Chain Analysis

Chapter 5. Database Encryption Market Analysis by Type

Chapter 6. Database Encryption Market Analysis by Applications

Chapter 7. Database Encryption Market Analysis by Geography

Chapter 8. Competitive Landscape Of Database Encryption Companies

Chapter 9. Company Profiles Of Database Encryption Industry

Key questions answered in the report include:

Request Customization on This Report @ https://www.express-journal.com/request-for-customization/53886

Read more from the original source:
Future Growth Of Database Encryption Market By New Business Developments, Innovations, And Top Companies Forecast To 2025 - Express Journal

Protecting consumers personal information has become the primary reason for deploying encryption technology, according to a study involving Cambridge-based nCipher Security.

It also found employee mistakes were the biggest threat to keeping sensitive data safe - outweighing concerns over hacking.

Some 6,457 individuals across multiple industry sectors in 17 countries were surveyed for the 15th annual Global Encryption Trends Study by the Ponemon Institute in collaboration with nCipher, an Entrust Datacard company focused on hardware security modules.

For the first time, protecting consumer data topped the reasons given for using encryption, with 54 per cent citing it as their top priority, while compliance (47 per cent) - traditionally a key driver - was fourth. It has been falling down the list since 2017, indicating that encryption is transitioning from a requirement to a proactive choice to safeguard critical information.

Dr Larry Ponemon, chairman and founder of Ponemon Institute, said: Consumers expect brands to keep their data safe from breaches and have their best interests at heart. The survey found that IT leaders are taking this seriously, with protection of consumer data cited as the top driver of encryption growth for the first time.

Encryption use is at an all-time high with 48 per cent of respondents this year saying their organization has an overall encryption plan applied consistently across the entire enterprise, and a further 39 per cent having a limited plan or strategy applied to certain application and data types.

Some 54 per cent cited employee mistakes as the biggest threat to keeping sensitive data safe, with hackers (29 per cent), malicious insiders (20 per cent), lawful data requests (12 per cent) and government eavesdropping (11 per cent) well behind in the list.

The growth in digital initiatives, cloud use, mobility, IoT devices and the advent of 5G networks means that data discovery was cited by 67 per cent as the biggest challenge in planning and executing a data encryption strategy. The number of employees working remotely during the pandemic, and keeping extra copies on personal devices or in cloud storage, means this concern is only likely to increase.

John Grimm, vice president of strategy at nCipher, which has a base in Station Square, said:As the world goes digital, the impact of the global pandemic highlights how security and identity have become critical for organisations and individuals both at work and at home,

Organisations are under relentless pressure to deliver high security and seamless access protecting their customer data, business critical information and applications while ensuring business continuity. nCipher empowers customers by providing a high assurance security foundation that ensures the integrity and trustworthiness of their data, applications and intellectual property.

Other findings in the full report, which can be downloaded online, include:

Read more

nCipher acquisition completed by Entrust Datacard

nCipher Security looks forward to 'great synergies' with Entrust Datacard as Thales Group agrees to divest

Read more:
Protecting consumers personal data becomes top reason for encryption, global study involving nCipher Security finds - Cambridge Independent

Recent weeks have been rough, with droves of people turning to virtual communication for sensitive conversations theyd like to keep private medical visits, seeing friends faces and hearing their voices, or solace for those whove lost loved ones.

Understandably, the end-to-end (E2E) encrypted messaging app Signal has been signing up new users at unprecedented rates and flipping the switch on servers faster than we ever anticipated, Signals Joshua Lund said last week.

and you can say goodbye to any of that staying stateside if the EARN IT Act passes.

Signal claims that legal and liability concerns would make it impossible to operate in the US. That doesnt mean it would shut up shop entirely, but it could mean that the non-profit would need to move operations now based in the US.

Called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT Act), the bill was introduced last month. If it passes, EARN IT would require tech companies to meet safety requirements for children online before obtaining immunity from lawsuits. You can read the discussion draft here.

To kill that immunity, the bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. Section 230, considered the most important law protecting free speech online, states that websites arent liable for user-submitted content.

The proposed legislations details havent been ironed out yet, but at this early point, the bills intent to water down Section 230 turns that protection into a hypocritical bargaining chip, Lund wrote on Signals blog.

At a high level, what the bill proposes is a system where companies have to earn Section 230 protection by following a set of designed-by-committee best practices that are extraordinarily unlikely to allow end-to-end encryption. Anyone who doesnt comply with these recommendations will lose their Section 230 protection.

Maybe some of the tech behemoths could swing the potentially huge financial risk that would come with slews of lawsuits as they suddenly become responsible for whatever random things their users say, but not Signal, Lund said.

It would not be possible for a small nonprofit like Signal to continue to operate within the United States. Tech companies and organizations may be forced to relocate, and new startups may choose to begin in other countries instead.

Its bizarre that a government thats reliant on secure, private messaging would even contemplate gutting E2E encryption, Lund said. In February, the European Commission endorsed the messaging app, telling staff to switch to Signal for encrypted messaging. Lund listed other military and government endorsements, calling the proposed legislation troubling and confusing:

For a political body that devotes a lot of attention to national security, the implicit threat of revoking Section 230 protection from organizations that implement end-to-end encryption is both troubling and confusing. Signal is recommended* by the United States military. It is routinely used by senators and their staff. American allies in the EU Commission are Signal users too. End-to-end encryption is fundamental to the safety, security, and privacy of conversations worldwide.

*The US Military also recommends Wickr for encrypted messaging: both it and Signal feature auto-delete functions that erase messages after a set period of time.

The bills backers claim that theyre not targeting encryption. Rather, as with other attempts to legally enforce encryption backdoors, theyre claiming that their real goal is to get companies to accept responsibility for the enabling of online child sexual abuse.

But as has been explained by Riana Pfefferkorn, Associate Director of Surveillance and Cybersecurity at The Center for Internet and Society at Stanford Law, the bill doesnt have any tools to actually stop online child abuse. Furthermore, if it passes, it would actually make it much harder to prosecute pedophiles, she says.

As it now stands, online providers proactively, and voluntarily, scan for child abuse images by comparing their hash values to known abusive content.

Apple does it with iCloud content, Facebook has used hashing to stop millions of nude childrens images, and Google released a free artificial intelligence tool to help stamp out abusive material, among other voluntary efforts by major online platforms.

The key word is voluntarily, Pfefferkorn says. Those platforms are all private companies, as opposed to government agencies, which are required by Fourth Amendment protections against unreasonable search to get warrants before they rifle through our digital content, including email, chat discussions and cloud storage.

The reason that private companies like Facebook can, and do, do exactly that is that they are not the government, theyre private actors, so the Fourth Amendment doesnt apply to them.

Turning the private companies that provide those communications into agents of the state would, ironically, result in courts suppression of evidence of the child sexual exploitation crimes targeted by the bill, she said.

Pfefferkorn has also pointed out that the bill would give unprecedented power to Attorney General William Barr, a vocal critic of end-to-end encryption, who would become the arbiter of any recommendations from the best practices commission that the EARN IT bill would create.

The best practices approach came after pushback over the bills predicted effects on privacy and free speech. The best practices would be subject to approval or veto by Barr, who has issued a public call for backdoors; the Secretary of Homeland Security (ditto); and the Chair of the Federal Trade Commission (FTC).

Basically, those wolves are going to eat smaller encryption providers alive, Lund said:

It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions huffing or puffing or the application of forceful breath to a brick-based domicile at all, but the end goal is still pretty clear to any outside observer.

Last month, Sen. Ron Wyden, who introduced the CDAs Section 230, said that the disastrous legislation is a Trojan horse that will give President Trump and Attorney General Barr the power to control online speech and require government access to every aspect of Americans lives.

The EARN IT Act is only the latest of many attempts to inject an encryption backdoor that the US government and law enforcement agencies have been trying to inflict for years.

Digital rights advocates say that the proposed act could harm free speech and data security, and Sophos concurs. For years, weve said #nobackdoors, agreeing with the Information Technology Industry Council that Weakening security with the aim of advancing security simply does not make sense.

The EARN IT Act is still working its way through Congress, not having seen a vote in either the House nor Senate.

Theres still time to stop it, Lund said. To reach out to elected officials, you can look up contact information on The Electronic Frontier Foundations Action Center.

See the rest here:
Signal: Well be eaten alive by EARN IT Acts anti-encryption wolves - Naked Security