Miranda – Page 4 – DoGoodSoft's Official Blog

Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.

Controversy

Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

Full disk encryption flaw could affect millions of Android users

When it comes to vulnerabilities and security, Google’s Android has never been in the good books of security experts or even its users to a great extent. Now, another vulnerability has surfaced that claims to leave millions of devices affected. Security expert Gal Beniamini has now revealed another flaw in Android encryption.

According to the DailyMail, the security researcher has said that Android devices with full disk encryption and powered by Qualcomm processors are at risk of brute force attacks wherein hackers can use persistent trial and error approach. Full disk encryption is on all devices running Android 5.0 onwards. It generates a 128-bit master key for a user’s password. The report adds that the key is stored in the device and can be cracked by malicious minds.

“Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE,” Beniamini explains.

A combination of things like Qualcomm processors verifying security and Android kernels are causing the vulnerability. Google along with Qualcomm is working at releasing security patches, but Beniamini said hat fixing the issue may require hardware upgrade.

“Full disk encryption is used world-wide, and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information. As such, I believe the encryption scheme should be designed to be as “bullet-proof” as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” he adds.

Lately, encryption debate had taken centre stage when Apple refused to unlock an iPhone belonging to a terrorist involved in San Bernardino shooting. The FBI reportedly managed to break into the device without Apple’s help and is believed to have paid a whopping $13 million to do so.

US wiretap operations encountering encryption fell in 2015

The US government has been very vocal recently about how the increase in encryption on user devices is hampering their investigations. The reality is that according to a report from the Administrative Office of U.S. Courts, law enforcement with court-ordered wiretaps encountered fewer encrypted devices in 2015 than in 2014.

In regards to encrypted devices, the reports states: “The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to seven in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages. Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.”

This is out of 2,745 state and 1,403 federal for a grand total of 4,148 wiretaps, an increase of 17 percent over 2014. So while surveillance increased, the amount of times law enforcement encountered encryption decreased.

Earlier this year the Department of Justice and FBI were locked in a court battle with Apple over an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. The government eventually dropped the case after finding a third party to help it bypass the phone’s security.

But it started a national debate about personal devices and encryption. Tech companies want their customers to be secure while law enforcement want backdoors or keys to encrypted devices for investigations. But it looks like when it comes to wiretaps, encryption isn’t as big a problem as many would suspect.

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp’s end-to-end encryption might still be a contentious issue, but on Wednesday the Supreme Court refused to allow a PIL seeking a ban on the popular app and similar messenger services.

The PIL, filed by Gurugram-based RTI activist Sudhir Yadav, said these apps have complete encryption, which poses a threat to the country’s security.

A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, suggesting Yadav could approach the government or Telecom Regulatory Authority of India (TRAI) with his plea.
But Yadav said his application to the department of telecommunication and the government got the response that they did not possess information in this regard. The petitioner contended that end-to-end 256-bit encryption introduced by WhatsApp in April made all messages, chat, call, video, images and documents end-to-end encrypted, and thus it was impossible for security agencies to decode these.

According to him, this could be national security threat for India, as agencies will not be able to track terrorists, who can plan attacks without worrying that the government can access their messages. The RTI petitioner sought to maintain a balance where police agencies can get lawful access to data while keeping information private.

So what is WhatsApp’s end-to-end encryption and why has it become such an issue? For starters, WhatsApp’s end-to-end encryption ensures that a user’s messages, videos, photos sent over the app, can’t be read by anyone else — not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats are end-to-end encrypted.

End-to-end encryption means encryption at the device level and thus your chats, messages, videos are not stored on WhatsApp’s servers at all. The only way to access this data is if your device is compromised and the messages have not been deleted. This encryption is designed to keep out man-in-the-middle attacks.

Given WhatsApp has over a billion users, this end-to-end encryption is a big deal. Let’s not forget that in Brazil, a senior WhatsApp executive was jailed because the company did not hand over data in a court case. WhatsApp claimed the data is encrypted and it does not have access to it.

WhatsApp co-founder Jan Koum, in fact, is known for dedication to user privacy and this is also one of the reasons the app has never sold ads. When WhatsApp announced the end-to-end encryption, Koum wrote, “People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

WhatsApp has relied on the “The Signal Protocol”, designed by Open Whisper Systems for its end-to-end encryption. What is also significant is the feature is enabled by default on WhatsApp, unlike apps like Telegram where you have to go into a secret chat mode for end-to-end encrypted chats.

WhatsApp is also one of the most popular apps in India. In fact, research has consistently shown it is one of most used apps after Facebook, and it is common for most people in India to be part of various groups on the service. Family, School, College friends, even office groups are present on WhatsApp. End-to-end encryption means all of this data is secure, and can’t be accessed by third-parties including government agencies.

For now the Courts have refused to go for a ban on WhatsApp, and instead directed Yadav towards the government. India per se doesn’t have a law on what kind of encryption third-party apps can used.

As we had noted earlier, the 40-bit encryption limit, which is too low given the current times, is something ISPs and TSPs have to stick with and doesn’t apply to apps.

Until India comes up with an encryption law, WhatsApp remains legal and we’ll have to wait and watch how the encryption versus security agency debate plays out in the country.

Greedy Bart ransomware encrypts files in ZIP archives

A new ransomware threat known as Bart is experimenting with the price it charges victims and encryption strategies.

If your PC is infected by Bart you will be asked to pay three Bitcoin (BTC) or just under $2,000 to regain access to your files, which is significantly more than the usual 0.5 BTC ($300) to 1.5 BTC fee.

Also, you won’t get a decryption key, but rather a password that opens password-protected ZIP archives, where the files of Bart-infected machines have been copied.

While .zip is intended primarily for compression, it also offers encryption. However, as PC World recently pointed out, the program used to create and open the ZIP file determines whether the weak ZipCrypto encryption or the tougher-to-crack AES-256 is used.

Security firm PhishMe noted on Friday that Bart’s use of .zip files for encryption differs from most file encrypting ransomware, which traditionally use a more sophisticated asymmetric, public-private key pair for encryption.

Another distinguishing feature of Bart is that it doesn’t rely on command and control infrastructure in order to tell which PCs the malware should proceed to encrypt and provide instructions to pay the ransom.

Security firm Proofpoint also reported the emergence of Bart on Friday, and said that instead of using a command and control host, it relied on a unique browser identifier in the URL.

The Bart ransomware also won’t run if it detects the user’s system language is Russian, Ukranian, or Belorussian, according to Proofpoint.

Proofpoint also found links between the Bart ransomware and the more widely used Locky ransomware, such as a similar looking payment page, and that it like Locky it is being distributed in spam email. However, Proofpoint also found that the ransomware code itself was “largely unique” from Locky.

Russia encryption grab may require chat backdoors as standard

MOOTED LEGAL CHANGES in Russia may apply a boot to the face of open and private chat messaging services and create a very cold winter for communications.

Reports from the country said that plans to require backdoors in otherwise encrypted chat services are quite advanced and will launch with a mandatory status.

Russia is often accused of messing with internet liberties, but before we get on our high horse we should remember that this is exactly the kind of ambrosia that the UK and US would like to have with their anti-terror breakfast.

Local news site CurrentTime said that companies resisting the anti-terror laws could be fined, and names WhatsApp as the kind out of service that would be involved.

The report explained that senator Elena Mizulina referred to a research group of some kind, and some ill repute, called the League of Safe Internet that had uncovered evidence of unwelcome underground operations including “a number of closed groups where teenagers [are] brainwashed to kill police officers”.

She added that perhaps it is time to start nipping such activity in the bud and that Russia could “maybe go back to the idea of pre-filtering [messages] as we cannot look at it in silence”.

CurrentTime has a clip of the legislation and it does seem as though Russia will ensure that the right level of deterrent is in place.

“Failure to comply with the organiser of the dissemination of information on the internet obligation to submit to the federal executive authority in the field of safety information required for decoding the received, sent, delivered or processed by electronic communications,” said the bill.

“It is proposed to punish by a fine of ₽3,000 to ₽5,000 [£32 to £52] for citizens, ₽30,000 to ₽50,000 [£316 to £528] for officials and ₽800,000 to ₽1m [£8,450 to £10,565] for legal entities.” µ.

Apple to expand encryption on Macs

Apple is amping up its commitment to encryption.

The company is beginning the first major overhaul of the Mac filing system — the way it stores files on the hard drive — in more than 18 years. The move was quietly announced during a conference break out session after Apple’s blockbuster unveiling of its new operating system MacOS Sierra.

Amidst other new features, including the ability to place timestamps on files accurate to fractional seconds and a more efficient mechanism to clone files, the new Apple File System (APFS) updates file encryption.
The new system allows files to be encrypted with multiple keys, providing an extra layer of security against attackers or, to the FBI’s recent chagrin, law enforcement agencies.

The shift comes after Apple faced vocal criticism for its commitment to encrypted data after refusing to unlock an iPhone used by one of the shooters in the San Bernardino, Calif, terrorist attack.

Currently, on computers using OSX’s encryption, files are encrypted using the same key. The operating system unlocks the files on computers where a user has logged in. If an attacker compromises the key or attacks the computer when a user has logged in, the files are no longer encrypted.

On APFS, users will have the option to encrypt different segments of the file storage system with different keys. Access to one file wouldn’t mean access to all of them.

APFS will also encrypt the metadata contained in each file.

The new file system will released in 2017, months after Sierra’s release.

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple used the kickoff of its Worldwide Developers Conference Monday to reaffirm the company’s stance on encryption and data monetization, one day after the most deadly mass shooting in U.S. history threatened to rekindle the debate surrounding the use of the technology.

“In every feature that we do, we carefully consider how to protect your privacy,” Apple senior vice president of software engineering Craig Federighi told conference attendees in San Francisco Monday.

Federighi said that includes the Cupertino-based company’s commitment “to use end-to-end encryption by default,” and described a new policy at Apple known as “differential privacy,” which incorporates using machines to learn how users use Apple products via crowdsourced data, while not tracking specific data back to individual users.

Federighi’s keynote came one day after 29-year-old Omar Mateen shot and killed 49 people at a gay nightclub in Orlando early Sunday, and who authorities later said pledged allegiance to ISIS during the attack.

The scenario echoes last year’s shooting in San Bernardino, where two attackers later found to have made a similar pledge to the Islamic extremist terror group were found in possession of an iPhone after a shootout with police that left both dead. The FBI asked Apple to bypass the device’s encryption as part of their investigation — a request Apple refused, prompting a court battle that ended prematurely after the FBI found a third-party to crack the phone’s encryption.

Investigators recovered a phone from Mateen after he died in Sunday’s attack, but have declined to identify its make. Regardless of whether the device is an Apple product, the shooting could easily become fodder for those in government pushing for a back door into encrypted communication platforms like Apple’s, especially given the increasing number and popularity of encryption applications like Telegram of the Facebook-owned WhatsApp.

“We are going through the killer’s life — especially his electronics — to understand as much as we can about his path and whether there was anyone else involved, either in directing him or in assisting him,” FBI Director James Comey said Monday.

The FBI director said investigators are confident Mateen was self-radicalized online.

Comey has repeatedly testified before Congress on the emerging issue of terrorists and criminals “going dark” online as a result of their use of communication platforms with end-to-end encryption, which in Apple’s case, not even the company itself can access without a user’s PIN.

The tug of war between privacy and security has spread from cases still pending in court against Apple and others to Congress, where lawmakers have offered several legislative proposals to discuss or even mandate law enforcement cooperation, all the way up to the 2016 presidential election, with Donald Trump calling for a “boycott” of Apple products.

Apple CEO Tim Cook opened the conference Monday by leading the crowd in a moment of silence for the victims of Sunday’s shooting.

“The Apple community is made up of people from all around the world, all different backgrounds, all different points of view,” said Cook, who came out as gay in 2014. “We celebrate our diversity.”

“We offer our deepest sympathies to everyone whose lives were touched by this violence,” he continued, “this senseless, unconscionable act of terrorism, of hate aimed at dividing and destroying.”

Cook wrote an open letter earlier this year in the wake of the San Bernardino debate pushing back against the FBI’s attempt to force the company into cooperating.

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

According to Amazon, Removing Kindle Fire,Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight

Amazon said that the Fire OS 5 update removed local device encryption support for the Kindle Fire, Fire Phone, Amazon Fire HD, or Amazon Fire TV Stick was because the feature simply wasn’t being used.

Privacy advocates and some users criticized the move, which came to light on Thursday even as Apple Inc was waging an unprecedented legal battle over U.S. government demands that the iPhone maker help unlock an encrypted phone used by San Bernardino shooter Rizwan Farook.

On-device encryption scrambles data so that the device can only be accessed if the user enters the correct password. Cryptologist Bruce Schneier said Amazon’s move to remove the feature was “stupid” and called on the company to restore it.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures

One of the features removed includes one that allowed owners to encrypt their device with a pin which, if entered incorrectly 30 times in a row, deletes all the data stored on it. The feature is similar to the safety feature found on the iPhone at the center of the San Berardino shooter trial, which erases all the device data if the passcode is entered incorrectly ten times.

Amazon joined other major technology companies in filing an amicus brief supporting Apple on Thursday, asking a federal judge to overturn a court order requiring Apple to create software tools to unlock Farook’s phone.

Amazon spokeswoman Robin Handaly said in an email that the company had removed the encryption feature for Kindle Fire tablets in the fall when it launched Fire OS 5, a new version of its tablet operating system.

“It was a feature few customers were actually using,” she said, adding that Kindle Fire tablets’ communication with the company’s cloud meets its “high standards for privacy and security including appropriate use of encryption.”

Encryption expert Dan Guido said that Amazon may have eliminated the feature to cut component costs for tablets that sell for as low as $50.

But digital privacy advocates and customers said those arguments were not good enough reasons for discontinuing the feature.

“Removing device encryption due to lack of customer use is an incredibly poor excuse for weakening the security of those customers that did use the feature,” said Jeremy Gillula, staff technologist with the Electronic Frontier Foundation.

“Given that the information stored on a tablet can be just as sensitive as that stored on a phone or on a computer, Amazon should instead be pushing to make device encryption the default – not removing it,” Gillula said.

David Scovetta, a security analyst who owns two Kindle e-readers as well as Amazon’s TV set-top box, said he is now wary of buying new gadgets from the company.

“Amazon could just as easily be encouraging its users to adopt it rather than remove it as a feature. That’s a massive step backwards,” he said.

Fire OS 5 is the first release to use the Android 5.0 “Lollipop” codebase, and as such it is possible that this removal is down to a technical issue (such as battery life or performance). Last year Google reported that it would allow hardware makers to decide whether or not to enable encryption-by-default because of performance issues on older devices.

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

UK’s lower house eases up on encryption

The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers that has been ongoing in the U.K. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.
But the final version eased up on restrictions on encryption. Early drafts of the law mandated encryption include backdoor access – an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

That would keep the kinds of encryption used on Apple phones and Facebook’s newly announced end-to-end encrypted messaging service off the table. When properly implemented, neither would be technologically possible to crack.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the IPA was 444-69. It now heads to the House of Lords for their approval.