DataLocker announced the release of an entirely new breed of encrypted USB drive. The DL4 FE changes the game for security professionals by providing bulletproof security and simple remote management in a small-form-factor USB drive with capacities up to 15.3 TB.

The onslaught of attacks by state actors, hackers, and cyber cartels continues. Threat actors are trying to exfiltrate terabytes of data to hold for ransom. Some want access to essential IT systems for later exploitation.

As an industry, we need more widespread usage of powerful encryption tools that render data completely unusable to all but those who should be using it. These are things weve always focused on, but were still leveling up our game, says Jay Kim, CEO of DataLocker.

The new DL4 FE is more than an encrypted drive, its a simpler way to secure and manage sensitive data across hundreds of end users and remote locations. We made the DL4 FE for industries with rigid compliance requirements, those with large data sets that must be secure in transit, or for organizations where keeping data secure is how you save lives. We think of the DL4 FE as a way to further our commitment to keeping the worlds most sensitive data simply secure, he says.

Built to FIPS 140-2 Level 3 device standards and incorporating a Common Criteria EAL5+ certified controller, the DL4 FE is the most secure large capacity USB drive in the DataLocker line.

AES 256-bit hardware-based encryption ensures that data on the device is nearly impossible to compromise. Its also built with a bevy of security features that keep the most sensitive data safe under the most demanding circumstances:

Some of the biggest benefits of the DL4 FE come by way of its remote manageability. Managing the DL4 FE with DataLockers management platform SafeConsole makes it easy for admins to set secure policies for drives in the field, remotely wipe or detonate devices, reset passwords, or audit drives to see any data thats been added, removed, or changed on the device.

SafeConsole also allows admins to remotely lock down or whitelist USB ports on endpoints through a feature called PortBlocker. SafeConsole is available for Windows machines.

The DL4 FE is available as a solid-state drive (SSD) as well as a hard disk drive (HDD). Capacities range from 1 TB to 15.3 TB. The DL4 FE connects to systems via USB-C or USB-A and is compatible with most contemporary Mac, Windows, and Linux operating systems, as well as any machine capable of connecting an external mass storage device.

Original post:
DataLocker releases encrypted USB drive with capacities up to 15.3 TB - Help Net Security

The rapidly-growing smart home market has a serious security problem, and Rings line of products has been one of the foremost examples. The Amazon-owned company provides doorbell and in-home security cameras that are internet-connected to allow owners remote access to the video feeds. Some of its products will now be getting end-to-end encryption for the first time, two years after Amazon acquired the company and six years after the companys flagship doorbell camera product first launched.

During that time the company has struggled with a variety of security issues related to unauthorized access to user feeds, as well as questionable partnerships with law enforcement agencies that have raised concerns about extrajudicial surveillance.

Ring has a troubling history of security and privacy issues, the most high-profile of these coming after Amazons acquisition of the company. A string of security breaches in 2019 saw hackers taking over the accounts of users, in some cases speaking to them through the system. While Ring systems are password-protected, investigations by security experts found that there is no system to identify multiple suspicious login attempts. This made it trivial for attackers to brute force systems by guessing passwords or by working from information gleaned from other data breaches. A flaw was also discovered that leaked WiFi information locally, including usernames and passwords, though it does not appear that it was ever used in an attack.

Ring has since patched these vulnerabilities, but end-to-end encryption provides a much stronger failsafe against any similar issues that might develop in the future. A blog post from the company indicates that stored video is already encrypted on Rings cloud system, but will now also be encrypted in transit to authorized user devices.

However, the feature is not available to all users just yet; its in a technical preview mode that is slated to roll out completely over the next several months. The feature should appear in the Control Center of the Ring App once it becomes available. However, Ring points out that some of its features that rely on decrypted video will not function while end-to-end encryption is enabled, Motion Verification and People-Only Mode among them. This would appear to make it impossible to make use of end-to-end encryption in the modes that attempt to verify motion is being caused by a human being before sending a notification to the user.

The feature is also apparently not coming to all of the companys devices, at least not initially. End-to-end encryption will be available in the Pro and Elite models of the Video Doorbell product, but not the most basic wireless doorbell model. In addition to a price difference of about $50 per unit, the Pro model must be hardwired to function. Product lines that are no longer supported, like the first generation of video doorbells, are also not supported. The peephole cam and non-wired versions of the Stick-Up Cam and Spotlight Cam are also not eligible for end-to-end encryption. And users must have a fairly recent version of iOS (12.0 or newer) or Android (8.0 or newer) for the feature to be available.

While end-to-end encryption helps to protect users from unauthorized access to videos by hackers, it doesnt necessarily do much to address two other trust issues that have been hanging over the company: its internal access to user videos, and exactly what it shares with law enforcement agencies.

Rings policy has long been that employees are not supposed to access customer videos without express permission. Complaints and investigations dating back to 2016 have asserted that this is not the case. It is unclear if the end-to-end encryption feature will completely prevent this possibility, if the device in question even has the ability.

Amazons partnerships with law enforcement agencies also became an issue in 2019. The company offered police agencies access to Neighbors, a complementary app that allows users to upload video of potentially suspicious activity with various levels of public sharing. Critics pointed out that law enforcement is usually compelled to obtain a warrant to set up or access video recording devices on private property, something that Ring created a shortcut for. A particular concern was the potential for Amazon to link its Rekognition facial recognition database, also used by police agencies until a one-year moratorium was issued in 2020, to the footage reviewed by law enforcement. Even with end-to-end encryption in place, footage uploaded to Neighbors will first have to be de-encrypted in order to share.

While end-to-end #encryption helps to protect users from #hackers, it doesn't necessarily do much to address other trust issues that have been hanging over the company. #privacy #respectdataClick to Tweet

Ring users will also need to proactively keep an eye out for the appearance of the new video encryption feature, as it will not be enabled by default.

Follow this link:
Following a Year of Privacy Worries and Security Breaches, Ring Implements End-to-End Encryption - CPO Magazine

We Examine the Double-Edged Swords of the Cybersecurity World

Its not in your pocket. Not in the car. Not in your bag. Where could your key be? You need a way to get in your place. So, you call a locksmith, who can use his tools to provide another way inside.

But what if were talking encryption instead? There are no locksmiths in the cryptography world. What gets encrypted stays encrypted (unless youre the owner). Theoretically, at least. One exception to that rule is encryption backdoors.

Encryption backdoors are a simple concept. Think of them like the spare key you hide under the rock in your yard. Theyre a weakness that allows for entry in case of a loss of access or an emergency. They can be maliciously created by malware or intentionally placed in either hardware or software. There has been much debate about encryption backdoors because the two main debaters are viewing the issue from very different perspectives. On one hand, they allow for a way in if the situation requires it. But on the other hand, they can and most likely will be found by attackers.

So how do encryption backdoors work exactly? In what circumstances have they been used in the past? And what are the arguments for and against their deployment?

Lets hash it out.

An encryption backdoor is any method that allows a user (whether authorized or not) to bypass encryption and gain access to a system. Encryption backdoors are similar in theory to vulnerabilities, especially with regards to functionality. Both offer a non-standard way for a user to enter a system as they please. The difference lies in the human train of thought behind them. Encryption backdoors are deliberately put in place, either by software developers or attackers. Vulnerabilities, however, are accidental in nature.

In the world of cyberthreats, backdoors are among the most discreet kind. Theyre the polar opposite of something like ransomware, which is the cyber-equivalent of grabbing the user and slapping them in the face repeatedly. Encryption backdoors are well hidden, lurk in the background, and are only known by a very small group of people. Only the developers and a handful of select users that require the capabilities that the backdoor provides should be aware of its existence.

The power and versatility of backdoors has made them very popular among cybercriminals. In fact, a 2019 study by Malwarebytes found that backdoors in general, including encryption backdoors, were number four on the list of most common threats faced by both consumers and businesses. The report also discovered that the use of backdoors is on the rise, with a 34% increase in detections for consumers and a whopping 173% increase for businesses, compared to the previous year. Considering encryption backdoors are one of the primary types of backdoors, their use is no doubt on the rise, as well.

Its more important than ever to be aware of encryption backdoors and how they work. Since they can be used for either good or evil, its not always the most straightforward subject. Lets look at both sides of the coin by taking a closer at the different ways they are put into practice.

Some backdoors are are intended to help users, and others are intended to hurt them. Were going to classify backdoors into two primary types based on the result theyre designed to achieve malware backdoors and built-in backdoors.

Well start with the bad guys first. They create backdoor malware for nefarious means, such as stealing personal data, accessing your financial records, loading additional types of malware onto your system, or completely taking over your device.

Backdoor malware is considered a type of Trojan, which means that it aims to disguise itself as something completely different from its true form. You may think youre downloading a regular old Word document or a trusted piece of software from a file-sharing site, but youre actually getting something thats going to open up a backdoor on your system that an attacker can use to access whenever they want.

Backdoor malware, like Trojans, can also be capable of copying itself and distributing the copies across networks to other systems. They can do this all automatically without any input required from the hacker.

These backdoors can then be used as a means to an end for further attacks, such as:

For instance, maybe you download a free file converter. You go to use it and it doesnt seem to work properly (spoiler alert it was never intended to) so you go and uninstall it from your system. Unbeknownst to you though, the converter was actually backdoor malware, and you now have a wide-open backdoor on your system.

Attackers can go a step further and create a backdoor using a functional piece of software. Perhaps you downloaded a widget that displays regularly updated stock prices. You install it and it works just fine. Nothing seems amiss. But little did you know, it also opened a backdoor on your machine.

For cybercriminals, thats usually just the first step getting their foot in the door. A common avenue for hackers to go down at this point is deploying a rootkit. The rootkit is a collection of malware that serves to make itself invisible and conceal network activity from you and your PC. Think of a rootkit like a doorstop that keeps the point of access open to the attacker.

Rootkits and backdoor malware in general can be difficult to detect, so be careful when browsing, avoid files from unknown or untrusted sources, keep your applications & OS updated, and take advantage of anti-virus and anti-malware programs.

Its not all bad when it comes to encryption backdoors, however. As we touched on, they can be used for ethical purposes, too. Perhaps a user is locked out of critical information or services and doesnt have any other way to get in. An encryption backdoor can restore access. They can also be of help when troubleshooting software issues, or even be used to access information that can help solve crimes or find a missing person or object.

Built-in backdoors are purposely deployed by hardware and software developers, and they arent usually created with nefarious means in mind. Oftentimes theyre simply part of the development process. Backdoors are used by developers so they can more easily navigate the applications as theyre coding, testing, and fixing bugs. Without a backdoor, theyd have to jump through more hoops like creating a real account, entering personal information thats usually required for regular users, confirming their email address, etc.

Backdoors like these arent meant to be part of the final product, but sometimes they get left in by accident. As with a vulnerability, theres a chance that the backdoor will be discovered and used by attackers.

The other main category of built-in backdoors is those that are requested by national governments and intelligence agencies. The governments of the Five Eyes (FVEY) intelligence alliance, Australia, Canada, New Zealand, the United Kingdom, and the United States, have repeatedly requested that tech and software companies install backdoors in their products. Their rationale is that these backdoors can help find critical evidence for use in criminal investigations. Apple, Facebook, and Google have all said no to these requests.

If a company does agree to installing a backdoor however, then it usually happens somewhere in the supply chain, where it is appropriately referred to as a supply chain backdoor. Its because it occurs during the manufacturing and/or development process when the components of the product are still floating around at some point in the supply chain. For instance, a backdoor could be loaded onto a microprocessor at the chip makers facility, whereafter it gets sent to various OEMs for use in consumer products. Or it could be loaded as the finished product is being sent to the consumer. For example, a government agency could intercept a shipment of devices meant for an end-user and load a backdoor via a firmware update. Encryption backdoors can be installed with the knowledge of the manufacturer or done covertly.

Supply chain backdoors can occur during the software development process, as well. Open-source code has many advantages for developers, saving time and resources instead of reinventing the wheel. Functional and proven libraries, applications, and development tools are created and maintained for the greater good, free for all to use. It has proven to be an efficient and powerful system.

Except, of course, when a backdoor is intentionally planted somewhere. Contributions to open-source code are always subject to review and scrutiny, but there are times when a malicious backdoor can slip through the cracks and make its way out to developers and eventually users. In fact, GitHub found in a 2020 report that nearly one in five software bugs were intentionally created for malicious purposes.

Lets take a look at some of the most significant and well known instances of encryption backdoors, and the consequences associated with their use:

The debate around the existence of encryption backdoors, and particularly built-in backdoors, has been raging on for decades. Thanks to the shades of grey nature of their intended and actual uses, the debate shows no sign of slowing down anytime soon. Especially considering that the main proponent of encryption backdoors, national governments, is also the only party that could legally outlaw them. So, what are the two sides of the argument?

The members of the Five Eyes alliance argue that built-in encryption backdoors are a must for maintaining national and global security. Then-FBI Director Christopher Wray attempted to sum up the US governments position in 2018, explaining

Were not looking for a back doorwhich I understand to mean some type of secret, insecure means of access. What were asking for is the ability to access the device once weve obtained a warrant from an independent judge, who has said we have probable cause.

Government officials often point out that what they truly desire is more like a front door that can grant access and decryption only in situations that meet certain criteria. The theory is that it would be something only the good guys can use.

Those in favor of backdoors argue that the technological gap between the authorities and cybercriminals is growing, and that the legal and technological powers of law enforcement agencies arent currently enough to keep up. Hence, the need for a shortcut, a secret way in.

In other instances, authorities simply need access to gain evidence and information regarding a case. Numerous criminal investigations have been held up because locked phones couldnt be accessed. And after all, isnt the information in a phone the kind that police would normally have the right to access with a search warrant?

A common solution that is proposed by supporters of built-in backdoors is the use of whats called a key escrow system. The concept is that a trusted third party would act as a secure repository for keys, allowing for decryption if law enforcement can get legal permission to do so.

Key escrow is often used internally by companies in case access to their own data is lost. When it comes to public use though, its a system that is challenging and costly to implement. Theres also a large security risk, since all an attacker would need to do to decrypt something is gain access to the key storage location.

A front door for the good guys sounds great in theory. The problem is, functionally, there isnt much difference between that and an encryption backdoor. A hacker will be able to find their way in if it exists, no matter what you want to call it. Its for this reason that most of the big tech companies dont want encryption backdoors in their products. Because then they will be putting their brand name on insecure products that come with out-of-the-box vulnerabilities.

Even if the manufacturer and/or the government are the only ones to initially know about the backdoor, its inevitable that attackers will eventually discover it. On the large scale, a proliferation of backdoors would almost certainly result in an increase of cybercrimes and create a massive black market of exploits. There could be severe and far-reaching impacts for the public-at-large. For instance, utility infrastructure and critical systems could suddenly be left wide open to attacks from threats both at home and abroad.

There is also the question of privacy when it comes to encryption backdoors. If backdoors are everywhere, then suddenly a government can eavesdrop on citizens and view their personal data as they wish. Even if they didnt at first, the possibility is still there, and its a slippery slope that gets more slippery with time. A hostile and immoral government, for example, could use a backdoor to locate dissidents that are speaking out against the regime and silence them.

Overall, when it comes to encryption, theres a few basics that are absolutely required in order for it to be effective:

Backdoors compromise the second point (and in some cases the first), and in that sense they defeat the entire purpose of encrypting data in the first place.

The refusal of the giant technology companies to grant encryption backdoors, particularly Apples actions in 2015, has thus far prevented the setting of any legal precedents for backdoors. If any of them had acquiesced, then more encryption backdoors would have no doubt been created moving forward. While encryption backdoors can result in positive outcomes in certain cases, they also come at the price of exposing our devices to greater risk of attack.

These risks are already increasing, independent of backdoors, thanks to the Internet of Things and proliferation of smart devices all over our homes and workplaces. An attacker could compromise an IoT device and work their way up the chain of connections to your own PC, and backdoors make it even easier.

In one corner, you have security experts and privacy advocates in favor of maintaining the strongest possible encryption measures and practices. In the opposite corner you have governments that want backdoors to help solve crimes and maintain public safety. The discussion shows no signs of slowing up and will most likely intensify as technology continues to evolve and spread.

Either way, you and I must continue to protect our own data as best we can. We cant necessarily prevent an attack via a built-in backdoor that we dont even know exists, but we can employ an intelligent mix of security software and best practices to help mitigate the risk of malware backdoors. Make sure your data is encrypted with an encryption algorithm you trust, and that you have full control over the encryption key. If theres a possibility that someone else has a key for your data, then its not secure.

View post:
All About Encryption Backdoors - Hashed Out by The SSL Store - Hashed Out by The SSL Store

Ring just added end-to-end encryption (E2EE) to a select number of its smarthome cameras, protecting videos recorded by your Ring devices with an extra layer of security. This still doesnt make us thrilled about Ring devices, exactly, given all the issuesthe platformhas experienced, but its a feature worth knowing about if youre already using a Ring doorbell or camera.

Ring videos are encrypted while theyre uploaded to Rings cloud servers, but this new feature secures them with an additional AES 128-bit encryption layer that can only be decrypted and watched on a mobile device enrolled in Rings E2EE program. (You can read more about Rings E2EE policy in a recently published white paper on the feature.)

E2EE can stop outsiders from intercepting and viewing videos while theyre being recorded or sent to your devices; not even Ring will be able to decrypt them. However, Rings E2EE also disables a handful of features on a users end, including motion verification and the ability to watch Ring camera live feeds on an Amazon Echo Show or Fire TV device. Your recorded videos will be more secure, but youll lose out on real-time viewing and cloud-based monitoring features that may be as important as the extra encryption layer E2EE adds.

If youre cool with the tradeoffs, turning on Rings new E2EE is easyas long as you have the right hardware. E2EE is only available on a handful of devices at launch:

Further support may be added in the future, but for now, youll need one of those devices to use E2EE. Youll also need the latest version of the Ring app on any Android or iOS device you want to enroll. If you meet those requirements, you can turn on E2EE in the Ring app:

G/O Media may get a commission

Youll be asked to generate a password during setupdont lose this! It cannot be recovered and any encrypted videos you have will be lost. Youll have to start over with another mobile device to use E2EE again.

Read more from the original source:
How to Turn on Ring's New End-to-End Encryption - Lifehacker

Signal, once a niche messaging service for the privacy-minded, is currently the most downloaded app in the United States, unseating perennially popular social media and gaming apps. Its newfound popularity is due to a convergence of reasons, including WhatsApps changing policies, violence at the Capitol that led many tech companies to deplatform Trump, and a viral tweet from the worlds wealthiest man.

On January 7, Tesla founder Elon Musk tweeted Use Signal and sent the valuation of the wrong company, tiny health care technology firm Signal Advance, beyond its wildest expectations. Musk had been referring to the unrelated encrypted messaging outfit, which also benefited immensely from the tweet.

Signal, for the first time, became the most downloaded app on the App Store and Google Play following Musks tweet, a position it has maintained for a week. The sudden growth caused widespread outages on January 15, as the company struggles to add extra server capacity for the record number of new users.

We have been scaling all week to meet the increasing capacity, Signal spokesperson Jun Harada said in an email to Recode. Still, Fridays usage surge came out of nowhere. Harada said the company hoped to have service restored in the near future.

Musks tweet came a day after he had tweeted a meme blaming Facebook for its role in the violent storming of the Capitol, in which Trump supporters, amped up on conspiracy theories about a stolen election, failed to stop Congress from certifying Joe Bidens election victory. The meme illustrates the domino effect from Facebooks beginnings as a website to rate women on campus to the Capitol being under the control of a man in a viking hat.

A few days earlier, on January 4, Facebook-owned WhatsApp had issued a new privacy policy, which many interpreted would mean users would be required to share personal information with Facebooks ad network in order to use the platform. Facebook has clarified that WhatsApp messages will remain encrypted and personal information like contacts would not be shared with Facebook. Still, many users goaded in part by Musks tweet flocked to other encrypted messaging apps like Telegram (now No. 2 in the App Store) and Signal (now No. 1).

But as influential as Musk is, he isnt tweeting in a vacuum. Signals growth in popularity also came as numerous tech companies, including Facebook and Twitter, began deplatforming Trump and his followers and trying to prevent their technologies from being used in service of further violence. Parler, the right wings social media alternative, was also booted from the internet; Google and Apple banned it from its app stores and Amazon Web Services stopped hosting the app on its servers.

Signal, typically praised by privacy proponents and left-wing activists, is topping the app stores along with other privacy-focused social media alternatives like MeWe. Its unclear how much the shift to these apps is being buoyed by people from the fringe right in need of new places to communicate. Because of the encrypted nature of the app, its hard to know (more on that below).

Previously, the number of new Signal users has rocketed up following social or political unrest. Signal downloads spiked after the election of Donald Trump, who rolled back a number of privacy protections. Downloads also grew during Black Lives Matter protests against police violence last spring, as activists strove to organize while staying safe from law enforcement.

Due to the nature of social apps and how the primary functionality involves communicating with others, their growth can often move quite quickly, based on current events, Amir Ghodrati, director of market insights at App Annie, told Recode.

The mobile data and analytics provider said demand for privacy-focused messaging apps has grown in the last few years, as internet privacy becomes a more mainstream issue and as people spend more time 67 percent more time on average in the first half of 2020 in messaging apps than on social media apps.

Signal is an end-to-end encrypted communications app, available for mobile and desktop. That means users can send texts or make phone or video calls without outsiders or the platform itself seeing the content of those messages. Intercepted messages would look like a string of garbled text and symbols.

Police, for example, would be unable to get access to Signal messages, whether those communiques included political activism or revenge porn. Protesters have preferred the platform as a way to communicate and organize without being spied on by police. A 2016 instance where a grand jury issued a subpoena for Signal data yielded minimal information: when the user registered for the service and when they last used it. Unencrypted apps would allow law enforcement visibility into the messages themselves.

Founded in 2014 by an enigmatic software engineer, white hat hacker and anarchist thinker Moxie Marlinspike, Signal is developed by a nonprofit, which means its unlikely to be acquired by, say, a big tech company. And unlike big tech companies, the service doesnt sell ads or user data. Its supported by donations, including a $50 million loan from its co-founder, Brian Acton, who also created WhatsApp. WhatsApp is encrypted using Signals protocol and was acquired by Facebook in 2014. Critics have worried that WhatsApps ownership by Facebook makes it less secure than Signal.

Signals software is open sourced, so others can download or copy it. The founders mission is for end-to-end encryption to become commonplace, even to the point where Signal isnt necessary.

If weve pushed the envelope as far as we can go and the things we develop become as ubiquitous as possible, we could all focus on other things, Marlinspike told the New Yorker in a profile in October.

While Signal has its downsides, including the fact that it notifies users every time a new contact gets the service and that you can only communicate securely if others have the app, its generally considered to have good enough privacy for regular people. That is, its easy to use and generally secure. More secure programs require jumping through more hoops.

Signal is more geared at direct communication rather than the broad communication of social media, though recently increased its group call limit from five to eight users and its group chats top out at 1,000 users. The company has also been rolling out new features like wallpaper and animated stickers. This summer, it released a tool that would automatically blur faces, so people could, say, share videos of protests without identifying the protesters.

Its possible that Signals most recent surge has been propped up by protesters this time those on the right. As social media companies are taking a more active stance on whats allowed on their platforms after the violent Capitol riots, it makes sense that those searching for new platforms would turn to ones in which their communications are kept secret.

Support Vox's explanatory journalism

Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that empowers you through understanding. Voxs work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts to all who need them. Please consider making a contribution to Vox today, from as little as $3.

See the article here:
Is the Signal app safe? The encrypted messaging platform and WhatsApp alternative, explained - Vox.com