Summary:Terrorist groups such as ISIS and Al Qaeda have something in common -- they are using encryption tools which are not worthy of the name.

CANCUN, MEXICO: Are encryption tools used by terrorist organizations truly secure, or are they nothing more than a publicity stunt?

"Terrorists love forums," Rodrigo Bijou from data solutions provider The Data Guild said with a slight shrug as he addressed attendees at Kaspersky Labs' Security Analyst Summit. On Tuesday, the terrorism and technology speaker said that throughout his research, online forums have become a modern-day breeding ground for the spread of terrorist-based propaganda -- as well as a place to share "secure" encrypted communications tools used by groups including ISIS and Al Qaeda. The Data Guild

However, the actual security value of these tools is debatable -- and so could they have another purpose altogether?

The use of technology by terrorists is far from a new idea. For example, while some groups do rely on trusted couriers to send messages, now they have caught up with the times and have seen the potential the Internet holds to spread their message, recruit new members and communicate with each other.

Groups such as ISIS and Al Qaeda are known to use the Web for these purposes. However, they have also developed their own encryption-based toolkits to try and keep their activities from the eyes of intelligence agencies and governments across the globe.

Three main developers of secure, encrypted communications tools have been linked to terrorist organizations. The Global Islamic Media Front (GIMF) and Al-Fajr Media Center Technical Committee (FTC) -- both propaganda and media arms linked to Al Qaeda -- and ISIS -- as a developer itself of security tools -- have all created supposedly secure, encrypted messaging platforms -- but there is a problem.

ISIS does not trust the others, and due to this political conflict, the platforms are sub-par at best. Perhaps happily for us, this lack of trust ensures that none of the groups are pooling their resources to improve terrorism-based communication software.

Al Qaeda, for example, has a flagship communications tool called Asrar al-Mujahideen, launched in 2008. The GIMF software comes pre-loaded with a public encryption key and according to their website, the software provided follows the "latest technological advancements" with "4096 bit public key encryption" for use on the Windows and Android platforms.

Another GIMF tool released in 2013 is the Asrar al-Dardashah encrypted chat plugin, suitable for Symbian and Android and designed to encrypt data across chat apps already in use.

Read the rest here:
Terrorist encryption tools nothing more than 'security cape' and gov't red flag

Summary:A Wednesday press conference will aim to quell fears that the UK and US intelligence agencies have unfettered access to our mobile devices and phone calls.

Billions of SIM cards are said to be affected by the Gemalto hack (Image: CNET)

The Gemalto encryption key "heist" may be one of the biggest breaches of corporate data conducted by an intelligence agency to date.

The attack, first reported by The Intercept, showed how the UK and US intelligence communities stole encryption keys to millions of SIM cards, used by dozens of cellular networks in the US and around the world, for contactless payment systems, biometric passports, and credit and debits cards.

The story was based on documents leaked by whistleblower Edward Snowden.

In an effort to quell initial fears, the targeted company said in a statement Monday that its initial conclusions suggest its SIM products are "secure," but did not elaborate further.

Gemalto will hold a press conference on Wednesday (10:30am local, 4:30am ET) where we'll discover more. Gemalto is expected to reveal more from its investigation. (We'll have more then.)

These are the questions the company will have to answer.

1. Obama says US government doesn't listen to phone calls. But could it?

Days after the first Snowden leaks landed, Obama declared, "nobody is listening to your telephone calls." (He was, of course, talking about laws preventing the NSA from listening in on American calls.) It was bad enough that there was fear and uncertainty over the phone metadata program, but the Gemalto hack is about as clear as it gets that the NSA was trying to "passively" listen to phone conversations.

More:
Gemalto SIM card encryption hack: Key questions remain

Summary:China wants the encryption keys from U.S. technology companies as part of a counter-terrorism law. The draft law leaves U.S. tech giants with two options: Play ball or get out.

(Image: stock image)

The Chinese government has introduced plans for a far-reaching counter-terrorism law that would require tech companies to hand over encryption keys and source code -- even "backdoors" to give Chinese authorities surveillance access, according to Reuters.

The draft law, on its second reading in the state's parliament, is expected to be passed in a matter of weeks.

In an interview with the news agency, President Obama said he has brought up the issue with the Chinese premier.

"We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States," the president said.

Except that's not exactly what's going on here. It's U.S. tech companies that want to do business with China, thanks to its massive population, burgeoning economy, and its considerable potential financial returns. It's where some of the big global powerhouses are. It would be absurd to no longer do business in the economic and manufacturing heart of the world.

China's rules are broad and borderline terrifying for companies and countries wanting to do business with the Communist state. Making matters worse, tech companies can't possibly comply with the proposed rules. It's not surprising that China, with a history of stealing intellectual property, state-sponsored hacking, and shutting out businesses it doesn't like from state procurement rules, is not trusted by the West.

But Beijing, which sees the rules as vital in protecting state and business secrets, is the one holding the cards. Beijing doesn't trust Silicon Valley in the wake of the National Security Agency surveillance disclosures.

In that regard, China's move to introduce these laws is just good business sense for the country.

Read more:
China wants Silicon Valley's encryption keys: Good business, or get out?

Summary:CloudFlare has gone beyond offering free SSL to millions of websites and is now deploying a new level of encryption by default.

CloudFlare is deploying a new level of encryption to improve the security and speed of its websites, especially when visited through mobile web browsers.

The US-based CDN and DNS provider rolled out free SSL to millions of websites through the Universal SSL scheme last fall. Now, the company has begun rolling out a new form of encryption to improve the performance and security of mobile browsing. Dubbed ChaCha20-Poly1305, the cipher suites have only previously been used by one major tech firm, Google, but all CloudFlare websites now support the new algorithm.

As of the time of writing, approximately 10 percent of CloudFlare HTTPS website connections are using the protocol, but more are to follow.

Nick Sullivan from CloudFlare described the deployment in a blog post on Tuesday, explaining that the protocol for encrypting HTTPS -- Transport Layer Security (TLS) -- allows the easy integration of new encryption algorithms. The new cipher, based on the ChaCha20 and Poly1305 algorithms, fills the gap left by mobile browsers and APIs in TLS right now for secure encryption.

In addition, ChaCha20-Poly1305 improves upon the security of the de facto stream cipher choice for TLS, RC4 -- which is no longer considered secure. Another alternative, the AES-GCM cipher, is a good choice, but can be costly when it comes to mobile battery life. Therefore, users have been stuck between power-hungry or insecure encryption options.

In order to combat this problem and find a power-friendly alternative for mobile devices, Google engineers developed ChaCha20-Poly1305, which was included in Chrome 31 in November 2013, and Chrome for Android and iOS at the end of April 2014.

"Having the option to choose a secure stream cipher in TLS is a good thing for mobile performance," Sullivan says. "Adding cipher diversity is also good insurance. If someone finds a flaw in one of the AES-based cipher suites sometime in the future, it gives a safe and fast option to fall back to."

ChaCha20-Poly1305, a mixture of ChaCha20, a stream cipher; and Poly1305, a code authenticator -- developed by Professor Dan Bernstein -- is designed to provide 256-bit security, in comparison to the AES-GCM cipher, which provides around 128 bits of security.

CloudFlare says this level is "more than sufficient" for HTTPS connections. In addition, ChaCha20-Poly1305 also protects TLS against cyberattackers inserting fake messages into secure streams.

More:
CloudFlare boosts browsing privacy, speed through encryption deployment