A team of cybersecurity researchers today disclosed details of two new potentially serious CPU vulnerabilities that could allow attackers to retrieve cryptographic keys protected inside TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs.

Trusted Platform Module (TPM) is a specialized hardware or firmware-based security solution that has been designed to store and protect sensitive information from attackers even when your operating system gets compromised.

TMP technology is being used widely by billion of desktops, laptops, servers, smartphones, and even by Internet-of-Things (IoT) devices to protect encryption keys, passwords, and digital certificates.

"A privileged adversary can exploit the OS kernel to perform accurate timing measurement of the TPM, and thus discover and exploit timing vulnerabilities in cryptographic implementations running inside the TPM."

"They are practical [attacks]. A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes, depending on the access level."

"Further, we managed to recover ECDSA keys from an fTPM-endowed server running StrongSwan VPN over a noisy network as measured by a client."

"The fact that a remote attack can extract keys from a TPM device certified as secure against side-channel leakage underscores the need to reassess remote attacks on cryptographic implementations."

"The vulnerable Intel fTPM is used by many PC and laptop manufacturers, including Lenovo, Dell, and HP."

Besides this, researchers also tested TMP solutions manufactured by Infineon and Nuvoton and found them vulnerable to non-constant execution timing leakage issues.

Researchers responsibly reported their findings to Intel and STMicroelectronics in February this year, and the companies just yesterday released a patch update for affected products.

See the original post here:
Researchers Discover TPM-Fail Vulnerabilities Affecting Billions of Devices - Internet

Did you know that, on average, 6 billion SMS messages are sent every day in the U.S. alone? Thats 180 billion each month and 2.27 trillion each year. Globally, 4.2 billion people are texting worldwide. No doubt youre one of emwhich means you fire off approximately 67 texts a day. Thats a lot of LOLs.

When you send all those texts, you probably assume that you and your recipients are the only ones privy to the information contained within. Thats where youd be wrong.

The truth is that text messages arent secure, and that insecurity opens you, your friends, family, and business up to risk. And it isnt even your fault; the default text messaging services many of us use are old and vulnerable to a number of different attack scenarios. While carriers are on a path to update it, it might be too little, too late.

But before you can understand why you should spend more energy on practicing safe texting, it may be helpful to understand how the whole system works in the first place. Heres the breakdown.

If youre sending a text message, youre generally sending an SMS, which stands for Short Message Service. Its the oldest and one of the most widely used text messaging services today. It includes MMS (Multimedia Messaging Service) which enables SMS users to send multimedia content like images, audio, and visual files. Both SMS and MMS are sent using cellular networks and thus require a wireless plan and a wireless carrier.

If you send a traditional text message on your phone, its considered an SMS. When you send that gif, youve just sent a MMS.

When you send a text message, it first goes to a nearby cellular tower over a pathway called the control channel, and then into an SMS center (SMSC). The SMSC resends that message to the tower closest to the recipient, and then it goes to their phone. SMS also sends data associated with the message, including the length of the message, format, time stamp, and destination.

Of the 109 text messages I sent yesterday, for example, 15 of them were SMS messages sent to people who have phones on other carriers, 70 were sent through iMessage, and the rest were sent via OTT applications.

WhatsApp, iMessage, Facebook Messenger, WeChat, and other messaging apps are grouped together as OTT applications and are also considered texting services. OTT stands for Over the Top; as a group, these apps are different than SMS services because they use internet protocols (IP) rather than cellular networks to transmit messages. This means these messages are sent through an internet connection (aka WiFi) or via mobile internet connection.

OTT apps work in a way thats different than SMS because they send encrypted messages that only you and the person receiving your message can access. That means the messaging service doesnt know what youre sending, and neither does anyone else who might intercept that web traffic.

For example, WeChat uses extensible Messaging and Presence Protocol (XMPP) to exchange data between the users. This protocol is decentralized, and as a result, considered secure and flexible. The company also uses SSL/TSL encryption. All of this is intended to ensure that other people arent seeing your messages.

When considering messaging services, people often have to choose between sending via SMS or sending via an OTT service. If youve traveled extensively outside the U.S., youve probably noticed that people in many other countries prefer WhatsApp to text messaging.

SMS is the most ubiquitous, but least secure messaging medium. OTT apps require you to be using the same platform as the person youre messaging, which can be annoying. Maybe your friends dont want to download another app just for texting, but continuing to use SMS could put you at risk because it doesnt have end-to-end encryption.

As OTT apps cannibalize the SMS market, carriers have become incentivized to improve SMS services in the form of Rich Communication Services (RCS). RCS theoretically combines the best features of OTT apps into one protocol thats universal across carriers and devices. This new protocol will replace SMS and has been a work in progress for more than a decade.

Approved by the GSMA in 2008, RCS was fully adopted in 2016. Since then, the RCS Universal Profile has been pushed out with strong support and back-end services from Google (which acquired Jibe) with the goal of providing consistent interoperable messaging services across all devices and networks. This not only helps create a global standard, but also improves Android capacity, which is notoriously more vulnerable to attacks. As Dan Wood of Bishop Fox noted in an interview, A lot of SMS phishing is done against Android platforms.

RCS has the ability to:

However, while RCS doesnt have end-to-end encryption, it does have the standard security protocols of Transport Layer Security and IPsec.

RCS doesnt use cellular connection, but instead relies on a data connection and is both hardware- and platform-agnostic. Sprint, US Cellular, and Google Fi have implemented RCS fully across their networks and all devices. Other networks are implementing it against specific devices with broader plans to roll out further through 2020. And, moving forward, all devices should support this feature out of the box.

In short, RCS is an attempt by carriers to ensure the continued use of out-of- the-box messaging services and the connected data plans that accompany such usage. However, it doesnt enhance the overall security of information shared.

With the recent ghost texting controversy, people have started to question just how secure text messages are. The simple answer: not very.

Remember: Text messages are sent in a multi-step process. While your message might be encrypted from your phone to the first cell tower, its not encrypted after that. And your SMSC may keep the message even if both the sender and recipient delete it. Whenever a message is encrypted, it can be read by the mobile service, hackers, or governments.

Because of the lack of encryption, hackers can search for weak points anywhere along the virtual path between the sender and receiver, which includes a ton of different network devices and computing systems at many different providersonly one of which needs to be exploited via technical vulnerability, misconfiguration, social engineering or insider attack, says Christopher Howell, CTO of Wickr.

Because the messages are stored on these systems longer than necessary, Howell continues, it increases the window of vulnerability through which the hacker can attack. Rather than having to defend a system for a few seconds to prevent a hacker from stealing a message, it needs to be protected for days, weeks, months. These odds favor the hacker.

Its unlikely that youre using your cell phone to text about military launch codes, top secret government business, or anything else thats of much use to the average hacker. But what about a text exchange about a friends decision to leave their spouse, your bosss cancer scare, or your little sisters decision to switch jobs? Would you want that information to get disseminated somewhere else? What about information about your children, your pets, or a naked selfie that could help someone track where you are, guess your passwords, or find the tattoo on your left thigh thats also your bank account password?

Its not always about protecting big secretsits about ensuring personal privacy for everyone involved.

There are a number of ways that malicious actors (governments, terrorists, etc.) can hack into SMS systems and use them for their own benefit.

Governments are hacking using SMS. Chinese hackers recently did this when they developed malware to steal SMS messages. The malware used a keyword list of terms that were of geopolitical interest for Chinese intelligence collection and then connected those terms with phone numbers that they then tracked. The group responsible for this (APT41) also interacted with call detail records and tracked high-ranking individuals who were of interest to Chinese intelligence.

There are 0day bugs on the market that can remote access your phone without you having to click on any sort of link or do anything at all, says Ben Lamm, the CEO of Hypergiant. In fact, this market is growing as are all threats to vulnerable systems. The secret here is that we need to all be more focused on security, on protecting ourselves from vulnerability and on understanding that one insecure individual can compromise the whole group.

Take, for instance, two-factor authentication, which we generally think of as safe. If that second factor authentication is through an SMS service, it could be intercepted, meaning the system you thought was secure might now be compromised. This is important if, say, you use two-factor authentication to protect your bank account, corporate email, or dating profile.

Regular people are hacking and being hacked using SMS, too. Text message hacks are happening everywhere, from middle schoolers hacking their enemies to steal their pictures to nation state level attacks, says Georgia Weidman, the founder of Shevirah Inc. and a New America Cybersecurity Policy Fellow.

Given the propensity for and variety of attacks, it makes sense to consider alternative services that offer end-to-end encryption. Popular secure apps include:

An attacker might send a text message enticing a user to log into their bank or download a malicious application. Many users are getting security awareness training to be wary of phishing via email, but that education is often lacking around mobile based attack vectors such as text message or WhatsApp, Weidman says. Additionally, the text messaging programs on our phones are just software like any other and thus prone to security vulnerabilities. There have been instances in the past where an attacker could send a malformed text message to a device and gain control of the device.

The truth is we all need to use an extra dose of common sense.

Use the same caution when responding to SMS text messages as you would a suspicious email, says Kristin Kozinski of Dont Click on That. When evaluating a message consider the source of the message. If you dont recognize the number, confirm the context of the message elsewhere. For example, if your bank texts you, call the customer support number to verify the message you received. Be cautious of any link in the text message. This is a prime outlet for distributing malicious URLs. Finally, if the text sounds too good to be true, it probably is.

Read this article:
How SMS Worksand Why You Shouldnt Use It Anymore - Popular Mechanics

The problem with encrypted data is that you must decrypt it in order to work with it. By doing so, its vulnerable to the very things you were trying to protect it from by encrypting it. There is a powerful solution to this scenario: homomorphic encryption. Homomorphic encryption might eventually be the answer for organizations that need to process information while still protecting privacy and security.

What Is Homomorphic Encryption? And Why Is It So Transformative?

What is homomorphic encryption?

Homomorphic encryption makes it possible to analyze or manipulate encrypted data without revealing the data to anyone. Something as simple as looking for a coffee shop when youre out of town reveals huge volumes of data with third parties as they help you satiate your caffeine cravingthe fact that youre seeking a coffee shop, where you are when youre searching, what time it is and more. If homomorphic encryption were applied in this fictional coffee search, none of this information would be visible to any of third parties or service providers such as Google. In addition, they wouldnt be able to see what answer you were given regarding where the coffee shop is and how to get there.

While we might be willing to part with the data that is exposed when we search for our next caffeine fix, homomorphic encryption has huge potential in areas with sensitive personal data such as in financial services or healthcare when the privacy of a person is paramount. In these cases, homomorphic encryption can protect the sensitive details of the actual data, but still, be analyzed and processed.

Another bonus of homomorphic encryption is that unlike other encryption models in use today, it is safe from getting broken by quantum computers.

Just like other forms of encryption, homomorphic encryption uses a public key to encrypt the data. Unlike other forms of encryption, it uses an algebraic system to allow functions to be performed on the data while its still encrypted. Then, only the individual with the matching private key can access the unencrypted data after the functions and manipulation are complete. This allows the data to be and remain secure and private even when someone is using it.

There are three main types of homomorphic encryption: partially homomorphic encryption (keeps sensitive data secure by only allowing select mathematical functions to be performed on encrypted data); somewhat homomorphic encryption (supports limited operations that can be performed only a set number of times); fully homomorphic encryption (this is the gold standard of homomorphic encryption that keeps information secure and accessible).

Dr. Craig Gentry describes homomorphic encryption as a glovebox where anybody can get their hands into the glovebox and manipulate what's inside, but they are prevented from extracting anything from the glovebox. They can only take the raw materials and create something inside the box. When they finish, the person who has the key can remove the materials (processed data).

Practical Applications of Homomorphic Encryption

While cryptographers have known of the concept of homomorphic encryption since 1978, it wasnt until Dr. Gentry created an algebraically homomorphic encryption system for his graduate thesis that the idea progressed and when Gentry established the first homomorphic encryption scheme in 2009. As mentioned, homomorphic encryption could make our searches more private on search engines, but there are other practical applications for it when using data or data is in transit.

One very relevant way homomorphic encryption can be used is to ensure democratic elections are secure and transparent. Votes could be added up while keeping the identities of the voters private; third parties could verify the results, and voting data would be protected from manipulation.

Its been challenging for highly regulated industries to securely outsource data to cloud environments or data-sharing partners for research and analytics. Homomorphic encryption could change that since it makes it possible for data to be analyzed without jeopardizing privacy. This can impact many industries, including financial services, information technology, healthcare, and more.

What are the barriers to using homomorphic encryption?

The biggest barrier to widescale adoption of homomorphic encryption is that it is still very slowso slow its not yet practical to use for many applications. However, there are companies such as IBM and Microsoft, and researchers such as Dr. Gentry who are working diligently to speed up the process by decreasing the computational overhead thats required for homomorphic encryption.

View original post here:
What Is Homomorphic Encryption? And Why Is It So Transformative? - Forbes

Home security cameras have made it easier than ever to keep an eye on your belongings and even your loved ones while youre away, but even the best security cameras are useless if nefarious hackers can access your video feed.

This iPM World 360-Degree 1080p Wireless IP Security Camera comes with a completely encrypted stream, and its available for over 65% off at just $39.99 as part of a special Black Friday deal.

This discrete security camera allows you to stream panoramic views of your home directly to your phone.

Youll be able to keep tabs on your space without having to deal with a bulky and obtrusive camera, view footage from all of your devices via a WiFi client, and keep your feed safe from prying eyes thanks to front-to-back encryption.

Youll even be able to view footage day or night thanks to infrared night vision.

Keep an eye on your home with this iPM World 360-Degree 1080p Wireless IP Security Camera for just $39.99over 65% off before Black Friday.

Prices are subject to change.

This is a promotional article about one of Interesting Engineering's partners. By shopping with us, you not only get the materials you need, but youre also supporting our website.

Follow this link:
This Encrypted Security Camera Is over 65% off Today - Interesting Engineering

Apple may care about your privacy but that doesnt mean it gets it right all the time, especially when it comes to training its Siri AI assistant. Last week, a researcher went public with a glaring security hole in the way that Siri gets to know you.

Apple IT specialist Bob Gendler was tinkering around in the macOS operating system to understand more about how Apple personalizes Siri for each user. During the process, he found that the operating system was storing portions of user emails in plaintext, even when they were supposed to be encrypted.

According to Gendlers Medium post revealing the issue, Apple uses a system process called suggestd. Apple explains (as part of a help file system in the underlying BSD OS) that the program, which runs constantly, slurps content from various apps. These include Spotlight (the macOS indexing system), Mail, and Messages. It uses them to learn how you work and what youre interested in, using it for things like news personalization.

When it read this information, it stores it in the snippets.db file inside the macOS Suggestions folder. Even emails encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME), a technology that uses public and private keys to digitally sign and protect emails, didnt escape. Suggestd stored the plaintext versions with no encryption at all in the database.

An attacker would need full disk access to your system files to look at this information, because macOS protects it with its System Integrity Protection feature, an OS X El Capitan-era security measure that ring fences important system files. However, we know from recent problems that some people have needed to turn this off, and Gendler says that any program with full disk access in macOS could potentially harvest the data. Because Apples Finder (the equivalent of Windows File Explorer) has full access, a rogue AppleScript program could do it.

How do you stop macOS from storing your secret emails in plaintext? Simply turning off Siri wont do it, because suggestdis still working behind the scenes. Instead, you can do it manually by entering a command in your terminal window (you dont need to have root access to do it):

If you want to quickly stop Siri learning from all of your apps, open System Preferences, and then Siri. Click About Siri & Privacy, and then deselect all your apps in turn.

These solutions only work on a per-user basis, but Gendler also provides a longer script that you can run to turn off Siri-based Apple Mail snooping for all users on the system.

If an attacker could get malware on a victims Mac with full disk access, there is a chance they could read sensitive material from the snippets.db file, but the stars would have to align. Its serious, but perhaps not as serious and visible a privacy issue as Apples revelation earlier this year that it was letting contractors listen to Siri recordings. It revised its policy on that quickly enough, but Gendler complains that it dragged its heels for 100 days after he reported this new issue, omitting a fix from several security updates across more than one OS version. He said:

For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. It brings up the question of what else is tracked and potentially improperly stored without you realizing it.

Eventually, Apple sent him the instructions for turning off Siri-based app learning via system preferences that weve just given you.

Apple saidits aware of the issue and says it will address it in a future software update.

See the rest here:
Apple to fix Siri bug that exposed parts of encrypted emails - Naked Security

Encryption Software Market Overview:

The Encryption Software Market is expected to grow at a significant pace, reports Verified Market Research. Its latest research report, titled [Global Encryption Software Market Size and Forecast 2019-2026, Breakdown Data by Companies, Key Regions, Types and Application], offers a unique point of view about the global market. Analysts believe that the changing consumption patterns are expected to have a great influence on the overall market. For a brief overview of the global Encryption Software Market, the research report provides an executive summary. It explains the various factors that form an important element of the market. It includes the definition and the scope of the market with a detailed explanation of the market drivers, opportunities, restraints, and threats.

GlobalEncryption Software Market: Segmentation

The chapters of segmentation allow the readers to understand the aspects of the market such as its products, available technologies, and applications of the same. These chapters are written in a manner to describe their development over the years and the course they are likely to take in the coming years. The research report also provides insightful information about the emerging trends that are likely to define progress of these segments in the coming years.

Request a Sample Copy of this report @https://www.verifiedmarketresearch.com/download-sample/?rid=1826&utm_source=WSN&utm_medium=AK

Key Players Mentioned in the Encryption Software Market Research Report:

Encryption Software Market: Regional Segmentation

For a deeper understanding, the research report includes geographical segmentation of the Encryption Software Market. It provides an evaluation of the volatility of the political scenarios and amends likely to be made to the regulatory structures. This assessment gives an accurate analysis of the regional-wise growth of the Encryption Software Market.

Encryption Software Market: Research Methodology

The research methodologies used by the analysts play an integral role in the way the publication has been collated. Analysts have used primary and secondary research methodologies to create a comprehensive analysis. For an accurate and precise analysis of the Encryption Software Market, analysts have bottom-up and top-down approaches.

Ask for Discount @https://www.verifiedmarketresearch.com/ask-for-discount/?rid=1826&utm_source=WSN&utm_medium=AK

Table of Content

1 Introduction of Encryption Software Market

1.1 Overview of the Market 1.2 Scope of Report 1.3 Assumptions

2 Executive Summary

3 Research Methodology of Verified Market Research

3.1 Data Mining3.2 Validation3.3 Primary Interviews3.4 List of Data Sources

4 Encryption Software Market Outlook

4.1 Overview4.2 Market Dynamics4.2.1 Drivers4.2.2 Restraints4.2.3 Opportunities4.3 Porters Five Force Model4.4 Value Chain Analysis

5 Encryption Software Market, By Deployment Model

5.1 Overview

6 Encryption Software Market, By Solution6.1 Overview

7 Encryption Software Market, By Vertical

7.1 Overview

8 Encryption Software Market, By Geography8.1 Overview8.2 North America8.2.1 U.S.8.2.2 Canada8.2.3 Mexico8.3 Europe8.3.1 Germany8.3.2 U.K.8.3.3 France 8.3.4 Rest of Europe 8.4 Asia Pacific 8.4.1 China 8.4.2 Japan 8.4.3 India 8.4.4 Rest of Asia Pacific 8.5 Rest of the World 8.5.1 Latin America 8.5.2 Middle East

9 Encryption Software Market Competitive Landscape

9.1 Overview 9.2 Company Market Ranking 9.3 Key Development Strategies

10 Company Profiles

10.1.1 Overview 10.1.2 Financial Performance 10.1.3 Product Outlook 10.1.4 Key Developments

11 Appendix

11.1 Related Research

Complete Report is Available @ https://www.verifiedmarketresearch.com/product/global-encryption-software-market-size-and-forecast-to-2025/?utm_source=WSN&utm_medium=AK

We also offer customization on reports based on specific client requirement:

1-Freecountry level analysis forany 5 countriesof your choice.

2-FreeCompetitive analysis of any market players.

3-Free 40 analyst hoursto cover any other data points

About Us:

Verified Market Research has been providing Research Reports, with up to date information, and in-depth analysis, for several years now, to individuals and companies alike that are looking for accurate Research Data. Our aim is to save your Time and Resources, providing you with the required Research Data, so you can only concentrate on Progress and Growth. Our Data includes research from various industries, along with all necessary statistics like Market Trends, or Forecasts from reliable sources.

Contact Us:

Mr. Edwyne Fernandes Call: +1 (650) 781 4080 Email:sales@verifiedmarketresearch.com

Tag: Encryption Software Market Size, Encryption Software Market Growth, Encryption Software Market Analysis, Encryption Software Market Forecast, Encryption Software Market Outlook, Encryption Software Market Trends, Encryption Software Market Research, Encryption Software Market Report

Visit link:
Encryption Software Market Analysis by Top Companies, Driver, Existing Trends and Global Forecast by 2026 - WindStreetz

Since the launch of MC&T, we have been following the rising issues circulating around the cybersecurity of modern engine control units. Back in May, we originally received word that the new C8 Corvette will feature ECU encryption that will effectively lock out tuners from the engine. When others attempted to debunk this fact, we provided verification from a certain GM executive. However, its not exclusive to any one automaker, with several companies introducing ECU encryption (or something close to it) as hacking becomes a perceived threat in modern vehicles.

However, this soon may change to the benefit of the performance aftermarket.

Were investigating our next steps in the calibration space were looking at how were going to manage that right now, said Russ OBlenes, director of Performance Variants, Parts & Motorsports, in an interview with MC&T.

Customers looking to the aftermarket to increase the output of, say, the 2020 Chevrolet Silverado 1500 or the 2020 GMC Sierra 1500 pickup trucks, are currently with little to no options outside of bolt-on parts such as a performance exhaust or intake kit. The case will be the same when the C8 Corvette launches next year uncorking the LT2 V8 engine will be extremely limited without accessing the ECU, which controls just about every action happening within the engine such as spark, fuel injection, etc.

Even with certain crate engines, such as the mighty LT5 a supercharged 6.2L V8 from the C7 Corvette ZR1 with 755 horsepower come with encrypted ECUs that keep out anybody attempting to tamper with them. This began with the rollout of GMs most advanced version of its Global A electronics architecture found in its T1 pickup trucks, and the C7 ZR1. The next-generation, Global B, will be found in the 2020 C8 Corvette Stingray. Its capabilities will allow for several types of over-the-air updates, including chassis control upgrades. However, this double-edged sword approach that OEMs are partaking in effectively keeps the hackers away, but the performance and tuning industry has become collateral damage.

The reality is that it isnt a GM specific thing, said OBlenes. And as we get towards more system control of the vehicle, we need to continue to drive that safety is the number one priority at GM, and then we need to figure out how we can manage through to make sure that we dont leave out our performance customers that want to make modifications.

We learned from talking to several people during the 2019 SEMA Show that aftermarket companies, especially those focusing on pickup trucks, are currently left completely out of offering upgrades on new GM truck platforms. Instead, theyve been focusing more on late model, restomod, and pro touring solutions to keep business afloat. Even more well-known companies, such as Hennessey and Lingenfelter, have been unable to offer power upgrades on GM trucks.

Another issue, say sources, is that automakers could end up picking and choosing tuning companies, while locking out others. But the reality is that the framework for such a screening process is not yet fully solidified, and an ECU encryption solution, such as a backdoor, authentication code, or a master key, first needs to arise before this can even be a concern.

Want more stuff like this?

Get the best viral stories straight into your inbox!

More here:
C8 Corvette: GM Evaluating Next Steps Regarding ECU Encryption - Muscle Cars and Trucks Media