Miranda – Page 24 – DoGoodSoft's Official Blog

Yahoo Rolls Out End-To-End Encryption For Email

Back in 2012 (pre-Snowden!), we wrote about why Google should encrypt everyone’s emails using end-to-end encryption (inspired by a post by Julian Sanchez saying the same thing. Since then, securing private communications has become increasingly important. That’s why we were happy to see Google announce that it was, in fact, working on a project to enable end-to-end encryption on Gmail, though it was still in the early stages. In December of last year, Google moved that project to Github, showing that it was advancing nicely. As we noted at the time, one interesting sidenote on this was that Yahoo’s Chief Security Officer, Alex Stamos, was contributing to the project as well.

Thus it’s not surprising, but still great to see, that Stamos has now announced the availability of an end-to-end encryption extension for Yahoo Mail (also posted to Yahoo’s Github repository). It appears to function similarly to existing third-party extensions (like Mailvelope), but it’s still good to see the big webmail providers like Yahoo and Google taking this issue more seriously. It’s still not ready for prime time, and it’s unlikely that either provider is going to make this a default option any time soon, but offering more, better (and more user friendly) options to give everyone at least the option of doing end-to-end encryption is a very good sign.

It also raises a separate issue that I think is important: many have argued that companies like Yahoo and especially Google would never actually push for end-to-end encryption of emails, because it takes away the ability of those companies to do contextual advertising within those emails. But that’s an exceptionally short-sighted view. If Google, Yahoo and others don’t do enough to protect their users’ privacy, those users will go elsewhere, and then it won’t matter whether or not the emails are encrypted, because they won’t see them anyway. Focusing on the user first is always going to be the right solution, and that includes encrypting emails, even if it means slightly less ad revenue in the short term. Hopefully, Google, Yahoo and others remember this simple fact.

Can software-based POS encryption improve PCI compliance?

In the wake of the recent Verizon report that shows that 80 percent are out of PCI DSS compliance between audits, some vendors are urging the PCI Council to consider approving software-based point-to-point encryption, in addition to the current hardware-based standard.

PCI-approved, hardware-based P2PE allows merchants to drastically shrink the systems subject to compliance, reducing both risks and costs, and will make it easier to stay compliant.

Self-destructing hardware is a “security bonus,” but in general, hardware-based P2PE technology is not as useful for merchants, says Shift4 CEO Dave Oder, whose company is one of the largest software-based P2PE providers.

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

“The vast majority of retailers who have P2PE in use today are using a software-based decryption method provided by Shift4 or one of our competitors,” he said.

According to Oder, software-based P2PE, combined with tokenization, is a secure alternative to hardware-based encryption, and should be allowed under the PCI DSS standard.”The trouble is, PCI is refusing to validate certain types of security solutions even though they are more secure and more useful to merchants than what is currently validated,” he said.

Hardware-based encryption creates a potential single point of failure and is not designed to handle the level of transaction volume and uptime required in the payments industry, he said.

“The PCI Council has not released a software-based P2PE standard that would allow for both decryption and key management outside of a hardware security module,” he said. “Much of the industry is waiting for that and the delay is harming merchants.”

According to Shift4 marketing manager Nathan Casper, merchants with no encryption at all have a self-assessment questionnaire with more than 280 requirements. Merchants with hardware-based encryption have one with just 19 questions. Merchants with software-based encryption get the 280-question form — but only answer those same 19 and put “not applicable” to the rest.

“The part that makes this frustrating to these large merchants is that they are almost always required to employ the assistance of a Qualified Security Assessor to oversee their assessment,” he said. That’s tens of thousands of dollars, or more, spent on someone checking the same “N/A” box 261 times.

Another vendor promoting a software-based encryption alternative is Irvine, Calif.-based Secure Channels, Inc., which offers both hardware and software-based solutions.

“There are software based solutions where the decryption key is hidden in the packet,” said Secure Channels CEO Richard Blech. “There are means contained in the software to have a secure key exchange that completely bypasses the need for a hardware security module. Merchants are being harmed without this solution.”

However, according to Sam Pfanstiel, director of solutions at Atlanta-based Bluefin Payment Systems LLC, there is an excellent reason to stick with the hardware-based requirement.

“Through software-based encryption, you’re performing encryption in memory, and that memory is highly susceptible to memory scraping,” he said. “That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months.”

Hardware-based encryption, by comparison, puts the encryption mechanism — the plain text data — inside a hardware security module that self-destructs if tampered with.

“Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today,” he said.

Bluefin used to be on the other side, he added.

“When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending,” he said. “We decided that the new standard represented better cardholder protection.”

Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.

“Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption,” said Pfanstiel.

Today, there are currently over 160 validated devices that support hardware-based encryption, he said. “And the list grows every day.”

Tired of forgetting your password? Yahoo says you don’t need one any more

Tired of forgetting your password? Yahoo says you don't need one any more

Passwords: easily forgotten, but also easily guessed. It’s a bitter irony that minutes can be spent racking brains trying to remember whether a required security question answer is a pet’s name, first school or place of birth – meanwhile a cyber-criminal is merrily typing in a person’s favourite colour and relieving bank accounts of hard-earned wages.

Well, now Yahoo might have made the process easier – at least when it comes to accessing email.

The Californian tech giant is rolling out “on-demand” email passwords, based around phone notifications, and eliminating entirely the need to memorise a fixed password.

Yahoo Mail now offers a service similar to “two-step verification”, a security measure employed by other email providers, but the difference is the removal of the first step.

The password system is opt-in and can be accessed from Yahoo Mail’s landing page. Photograph: Yahoo screengrab

Two step verification works by a user logging in with their usual fixed password, after which the email provider sends a unique code to their mobile phone, which is then entered on the login screen, allowing the user to access their email account.

Yahoo’s new security process will remove the need for users to enter a fixed password first, and instead just send a four-letter password to a user’s phone via text.

Unveiling the service at the South by Southwest festival in Austin, Texas, Yahoo’s vice president of product management for consumer platforms Dylan Casey said: “This is the first step to eliminating passwords. I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.”

A blog post written by the company’s director of product manager, Chris Stoner, explains the steps:

1. Sign in to your Yahoo.com account.

2. Click on your name at the top right corner to go to your account information page.

3. Select “Security” in the left bar.

4. Click on the slider for “On-demand passwords” to opt-in.

5. Enter your phone number and Yahoo will send you a verification code.

6. Enter the code and voila!

The “on-demand” password service is opt-in and currently only available in the US.

Also announced at the festival was Yahoo’s forthcoming project on end-to-end encryption. Based on Google’s alpha Chrome PGP encryption plugin, Yahoo hopes to make the service available in autumn 2015.

Yahoo puts email encryption plugin source code up for review

Yahoo released the source code for a plugin that will enable end-to-end encryption of email messages, a planned data-security improvement prompted by disclosures of U.S. National Security Agency snooping.

The company is asking security experts to look at its code, published on GitHub, and report vulnerabilities, wrote Alex Stamos, Yahoo’s chief information security officer, in a blog post.

The plugin should be ready by year end, wrote Stamos, who gave a presentation on Sunday at the South by Southwest conference in Austin, Texas.

Yahoo and Google have been collaborating to make their email systems compatible with end-to-end encryption, a technology based on the public-key cryptography standard OpenPGP. End-to-end encryption is not widely used, as it can be difficult for non-technical users to set up.

The technology encrypts a message’s contents so only the sender and recipient can read it. A message’s subject line is not encrypted, however, and neither is the routing metadata, which can’t be scrambled since it is needed in order to send a message.

A video included in the post by Stamos showed how someone could set up an encrypted message much faster using the company’s plugin versus using GPG Suite, a software package for sending encrypted email on Apple’s OS X.

Yahoo vowed to improve its data security after documents leaked by former NSA contractor Edward Snowden showed the spy agency had penetrated the company’s networks as well as those of many others, including Google.

Email encryption is one of a number of security improvements Yahoo and Google have undertaken.

In March 2014, Yahoo began encrypting traffic flowing between its data centers after information from Snowden indicated the NSA had access to those connections.

Google also encrypts connections between its data centers. Like Yahoo, the company has published its Chrome extension for end-to-end encryption on GitHub as well.

China backs off legal push that would force foreign tech companies to hand over encryption keys

“They have decided to suspend the third reading of that particular law, which has sort of put that on hiatus for the moment,” White House Cybersecurity Coordinator Michael Daniel said earlier this week, asnoted by Reuters. “We did see that as something that was bad not just for U.S. business but for the global economy as a whole, and it was something we felt was very important to communicate very clearly to them.”

If China has pressed forward, it could have put Apple in an impossible position. China is one of the company’s most important markets, but chief executive Tim Cook has staunchly opposed any attempts to violate the privacy of Apple’s customers.

While there are “rumors of us keeping backdoors and providing data to third parties,” Cook is said to have told top Chinese internet regulator Lu Wei during a meeting last year, the company has “never had any backdoors and never will.”

Cook was even more emphatic during an appearance at the White House’s Summit on Cybersecurity and Consumer Protection, held last month at Stanford University.

“If those of us in positions of responsibility fail to do everything in our power to protect the right of privacy, we risk something far more valuable than money,” Cook said. “We risk our way of life.”

Personal privacy is especially important “in a world in which that information can make the difference between life and death,” he added.

A similar set of Chinese government regulations aimed at companies competing for large-scale infrastructure projects has not been affected. Those guidelines call not only for backdoors, but also for companies interested in selling software or hardware to turn over their source code to the government.

How Encryption Software Works in Enterprises’Data Leakage-proof?

For modern enterprises, the trend in information computerization’s development means the data is not only the assets, but is the reflection of enterprise’s core competitiveness. To make your enterprises remain invincible in the fierce business competition, you should protect the sensitive and key data of enterprise effectively. In reality, data leakage will lead to economic losses or even more troubles.

With the development of Internet, the boundary between Intranet and Extranet is becoming blurred because the Intranet and outside world have been linked closely by Email and IMs. Traditional preventive measures like Firewall, Intrusion Detection and Anti-Virus appeared to be inadequate in the protection of sensitive data.

Why Enterprises establish Leakage-proof system

For enterprises, the internal data security is closely bound up with the enterprise security and normal operation of routine work. In some special circumstances, data security is the major part of business, directly related to the survival of enterprise. Based on this case, it is necessary to establish the relevant strategies, so that the effective leakage-proof system can be set up. Only in this way, the enterprise security can be ensured.

From the point of system value, it’s the question that data leakage in two areas, that is transmission and storage. From a security perspective, it needs a more comprehensive safety and preventive mechanism to realize the all-round protection. So how can we protect the enterprises’ data security fundamentally?

How encryption software works in enterprises’ data leakage-proof

To secure the data security of enterprise by the roots, it is suggested to choose a professional encryption software to encrypt data, because the encryption works on the data directly. As long as the encryption algorithm is not cracked, the data still remains safety.

Here an excellent encryption software called Best Encryption Expert is highly recommended, which supports features like file encryption, folder encryption, data shredding, folder protection and disk protection. Besides, there are various encryption types for users to choose. The encrypted files are copy-proof, remove-proof and delete-proof, in this way, the possibility of file leakage reduces a lot, while the security promotes greatly.

How to encrypt data with Best Encryption Expert

1. Download the software from official website or other download sites, and then install it.

2. Right-click a file to encrypt, and then choose Best Encryption in the system menu.

3. Enter the encryption password in the pop-up window, choose the favorable encryption type, and then click “OK”, that’s it.

Official download address: http://www.dogoodsoft.com/best-encryption-expert/free-download.html

Computer-stored encryption keys are not safe from side-channel attacks

Computer-stored encryption keys are not safe from side-channel attacks Figure A: Tel Aviv University researchers built this self-contained PITA receiver.

Not that long ago, grabbing information from air-gapped computers required sophisticated equipment. In my TechRepublic column Air-gapped computers are no longer secure, researchers at Georgia Institute of Technology explain how simple it is to capture keystrokes from a computer just using spurious electromagnetic side-channel emissions emanating from the computer under attack.

Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, researchers at Tel Aviv University, agree the process is simple. However, the scientists have upped the ante, figuring out how to ex-filtrate complex encryption data using side-channel technology.

The process

In the paper Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation (PDF), the researchers explain how they determine decryption keys for mathematically-secure cryptographic schemes by capturing information about secret values inside the computation taking place in the computer.

“We present new side-channel attacks on RSA and ElGamal implementations that use the popular sliding-window or fixed-window (m-ary) modular exponentiation algorithms,” the team writes. “The attacks can extract decryption keys using a low measurement bandwidth (a frequency band of less than 100 kHz around a carrier under 2 MHz) even when attacking multi-GHz CPUs.”

If that doesn’t mean much, this might help: The researchers can extract keys from GnuPG in just a few seconds by measuring side-channel emissions from computers. “The measurement equipment is cheap, compact, and uses readily-available components,” add the researchers. Using that philosophy the university team developed the following attacks.

Software Defined Radio (SDR) attack: This comprises of a shielded loop antenna to capture the side-channel signal, which is then recorded by an SDR program installed on a notebook.

Portable Instrument for Trace Acquisition (PITA) attack: The researchers, using available electronics and food items (who says academics don’t have a sense of humor?), built the self-contained receiver shown in Figure A. The PITA receiver has two modes: online and autonomous.

Online: PITA connects to a nearby observation station via Wi-Fi, providing real-time streaming of the digitized signal.

Autonomous: Similar to online mode, PITA first measures the digitized signal, then records it on an internal microSD card for later retrieval by physical access or via Wi-Fi.

Consumer radio attack: To make an even cheaper version, the team leveraged knowing that side-channel signals modulate at a carrier frequency near 1.7 MHz, which is within the AM radio frequency band. “We used a plain consumer-grade radio receiver to acquire the desired signal, replacing the magnetic probe and SDR receiver,” the authors explain. “We then recorded the signal by connecting it to the microphone input of an HTC EVO 4G smartphone.”

Cryptanalytic approach

This is where the magic occurs. I must confess that paraphrasing what the researchers accomplished would be a disservice; I felt it best to include their cryptanalysis description verbatim:

“Our attack utilizes the fact that, in the sliding-window or fixed window exponentiation routine, the values inside the table of ciphertext powers can be partially predicted. By crafting a suitable ciphertext, the attacker can cause the value at a specific table entry to have a specific structure.

“This structure, coupled with a subtle control flow difference deep inside GnuPG’s basic multiplication routine, will cause a noticeable difference in the leakage whenever a multiplication by this structured value has occurred. This allows the attacker to learn all the locations inside the secret exponent where the specific table entry is selected by the bit pattern in the sliding window. Repeating this process across all table indices reveals the key.”

Figure B is a spectrogram displaying measured power as a function of time and frequency for a recording of GnuPG decrypting the same ciphertext using different randomly generated RSA keys. The research team’s explanation:

“It is easy to see where each decryption starts and ends (yellow arrow). Notice the change in the middle of each decryption operation, spanning several frequency bands. This is because, internally, each GnuPG RSA decryption first exponentiates modulo the secret prime p and then modulo the secret prime q, and we can see the difference between these stages.

“Each of these pairs looks different because each decryption uses a different key. So in this example, by observing electromagnetic emanations during decryption operations, using the setup from this figure, we can distinguish between different secret keys.”

Computer-stored encryption keys are not safe from side-channel attacks Figure B: A spectrogram

Any way to prevent the leakage?

One solution, albeit unwieldy, is operating the computer in a Faraday cage, which prevents any spurious emissions from escaping. “The cryptographic software can be changed, and algorithmic techniques used to render the emanations less useful to the attacker,” mentions the paper. “These techniques ensure the behavior of the algorithm is independent of the inputs it receives.”

Interestingly, the research paper tackles a question about side-channel attacks that TechRepublic readers commented on in my earlier article, “It’s a hardware problem, so why not fix the equipment?”

Basically the researchers mention that the emissions are at such a low level, prevention is impractical because:

Any leakage remnants can often be amplified by suitable manipulation as we do in our chosen-ciphertext attack;

Leakage is often an inevitable side effect of essential performance-enhancing mechanisms.

Something else of interest: the National Institute of Standards and Technology (NIST) considers resistance to side-channel attacks an important evaluation consideration in its SHA-3 competition.

CIA spent last 10 years cracking Apple’s encryption

The CIA has been trying to crack Apple’s encryption for nearly 10 years.

According to a report by The Intercept, the CIA began trying to crack Apple’s encryption in 2006 using funds from the “black budget.” The researchers who worked on breaking down Apple’s privacy wall were purportedly based at Sandia National Laboratories.

Although the report did expose the CIA’s effort, it did not tell us much about whether or not the agency succeeded in meeting their objectives. What it did tell us was Apple became a big enough thorn in the eyes of these secretive agencies that they had to invest heavily to crack the privacy barrier put in place to protect consumers.

Apple isn’t the only tech giant on the radar when it comes to issues regarding national security. Companies such as Facebook, Google and Microsoft have all been probed by government agencies. How much information exchanged hands within the last couple years is unknown, but as the stories continue to unearth themselves it is clear that there are growing distrusts between these companies and their users.

Google and Apple both announced recently that it has either made or will make changes to the encryptions to protect the privacy of consumers. Apple said last September that it altered its encryption method on the iPhone so that even the company couldn’t access its users’ data.

Apple rules its ecosystem with an iron fist, but the same can’t be said about Google and its partners utilizing the Android platform. Google may have the intentions of beefing up the system’s security features, but to apply them on most Android-based handsets around the world is a task that’s nearly impossible.

How to Encrypt Data on Portable Hard Drives with Encryption Software?

In recent years, portable hard drives play a major role in the field of data storage, so people pay more and more attention to its security. Just think of that you stored all of your personal documents, private images, user info and other important data on a normal portable hard drive, which is unavoidably stolen or lost. Portable hard drives, as a common storage medium, have been widely used in various aspects. So how to safely use portable hard drives with private data stored?

If you want to ensure the safety of data on portable hard drives fundamentally, you are suggested to encrypt the portable hard drives. Thus even your original data is illegally accessed by others, if the encryption algorithm is not broken, the stolen data cannot be read directly, and the danger of data misuse can be reduced as well.

How it works

Portable hard drives encryption is to run certain encryption software in operating system to complete the encryption and decryption of data. The encryption is so easy that it can be realized economically. Here a professional encryption software for portable hard drives is highly recommended, that is USB Encryptor, which can encrypt files and folders in USB drives and portable hard drives, shared folders are also included. Besides, this software features perfect removability, superfast encryption and decryption, and high encryption strength.

The features of USB Encryptor

1. High Confidentiality

With the advanced encryption algorithm, the encryption on your files and folders are super strong, so the security of your encrypted data can be ensured.

2. Easy to use

It is easy to encrypt data on USB devices, and the USB device can be accessed on any computer without installation again.

3. Portable encryption

When the file or folder is encrypted in portable hard drives, it will be carried to anywhere and visited anytime.

How to encrypt

1. Download USB Encryptor from official website (www.dogoodsoft.com), and unzip the ude.exe file to the place where the data to be encrypted is stored.

2. Set the software password (the default password for trial version is 888888, the full version user can change it as you wish), and click “OK” to enter the main window of software.The top of window is the functional area, below are two lists – the left displays the files and folders in disk with no encryption, the right are the encrypted file and folders.The top of window is the functional area, below are two lists – the left displays the files and folders in disk with no encryption, the right are the encrypted file and folders.

When encryption, you can choose to Flash-Encrypt Drive, so all of your files and folders will be transferred from left list to right, that is, all these data have been encrypted except for ude.exe file and some system folders.

If you need to use the encrypted data, just double click the specified file or folder in Decrypt Area, and it will be opened automatically.

Kindly note that if you want to protect the data on portable hard drives, first you should choose a good-quality portable hard drive, next is to use a professional encryption software.

Encryption is gone, communications minister Muthambi restates

Government-provided set-top boxes for digital terrestrial television will not contain conditional access based on encryption, and prospective pay-television operators wanting to use such a system will have to deploy their own boxes to subscribers.

That’s according to a statement, issued at the weekend by communications minister Faith Muthambi, in which she makes it clear that conditional access will not feature in the final amended policy on broadcasting digital migration.

The move appears to be a victory for MultiChoice and the SABC, which have opposed encryption in the free-to-air boxes that consumers will need to receive digital terrestrial broadcasts.

The set-top boxes, which will be provided free of charge to as many as 5m households (previously the plan was to provide a subsidy), will still contain a control system. But it won’t employ conditional access and so can’t be used by pay-TV operators. Instead, the minister says, it’s simply a security mechanism that, among other things, will prevent set-top boxes from being used outside South Africa’s borders.

It appears, although it’s not completely clear yet, that the decision means that there will be no restriction on the use of internationally manufactured set-top boxes in South Africa and that modern TVs with integrated digital receivers — those based on the DVB-T2 digital broadcasting standard — will work in South Africa.

In her statement, Muthambi says the control system agreed to by cabinet “does not mean a conditional access system … [or] an encryption of the signal to control access to content by viewers”.

Rather, it is a “security feature to encourage the local electronics manufacturing sector”.

“The set-top box must have minimal switching (on/off) security features to protect the subsidised set-top boxes from theft or leaving South Africa’s borders,” she says.

It must have capabilities to provide government information and services, she adds.

“The new policy position does not in any way prohibit any broadcaster who will want to include conditional access in the provision of broadcasting services to its customers. It is the firm view of the department that broadcasters who will want to do that should make their own investment in the acquisition of a conditional access system.”

MultiChoice, which owns DStv, has long argued that providing a conditional access system in government-subsidised set-top boxes would amount to unfair competition as it would allow prospective pay-TV rivals to launch services without the heavy upfront investment associated with building such a platform.

It has argued, too, that encryption in free-to-air set-top boxes is complex and ultimately runs counter to consumers’ interests.

But rival e.tv has argued, among other things, that encryption is vital to ensure free-to-air broadcasters can secure the latest international content to compete more effectively with DStv.

In her statement, Muthambi also confirms government’s new position is that set-top boxes will be provided free of charge to 5m poor television households. Previously, a partial subsidy had applied.

Distribution of the free boxes will prioritise households in border regions to minimise signal interference from neighbouring countries. After 17 June, the International Telecommunication Union, an agency of the United Nations, will no longer protect countries that have not completed their migration projects from this interference.