FBI chief wants ‘backdoor access’ to encrypted communications to fight Isis

FBI chief wants 'backdoor access' to encrypted communications to fight Isis

The director of the Federal Bureau of Investigation has warned US senators that the threat from the Islamic State merits a “debate” about limiting commercial encryption – the linchpin of digital security – despite a growing chorus of technical experts who say that undermining encryption would prove an enormous boon for hackers, cybercriminals, foreign spies and terrorists.

In a twin pair of appearances before the Senate’s judiciary and intelligence committees on Wednesday, James Comey testified that Isis’s use of end-to-end encryption, whereby the messaging service being used to send information does not have access to the decryption keys of those who receive it, helped the group place a “devil” on the shoulders of potential recruits “saying kill, kill, kill, kill”.

Comey said that while the FBI is thus far disrupting Isis plots, “I cannot see me stopping these indefinitely”. He added: “I am not trying to scare folks.”

Since October, following Apple’s decision to bolster its mobile-device security, Comey has called for a “debate” about inserting “back doors” – or “front doors”, as he prefers to call them – into encryption software, warning that “encryption threatens to lead us all to a very, very dark place.”

But Comey and deputy attorney general Sally Quillian Yates testified that they do not at the moment envision proposing legislation to mandate surreptitious or backdoor access to law enforcement. Both said they did not wish the government to itself hold user encryption keys and preferred to “engage” communications providers for access, though technicians have stated that what Comey and Yates seek is fundamentally incompatible with end-to-end encryption.

Comey, who is not a software engineer, said his response to that was: “Really?” He framed himself as an advocate of commercial encryption to protect personal data who believed that the finest minds of Silicon Valley can invent new modes of encryption that can work for US law enforcement and intelligence agencies without inevitably introducing security flaws.

While the FBI director did not specifically cite which encrypted messaging apps Isis uses, the Guardian reported in December that its grand mufti used WhatsAppto communicate with his former mentor. WhatsApp adopted end-to-end encryption last year.

“I think we need to provide a court-ordered process for obtaining that data,” said Dianne Feinstein, the California Democrat and former intelligence committee chair who represents Silicon Valley.
But Comey’s campaign against encryption has run into a wall of opposition from digital security experts and engineers. Their response is that there is no technical way to insert a back door into security systems for governments that does not leave the door ajar for anyone – hackers, criminals, foreign intelligence services – to exploit and gain access to enormous treasure troves of user data, including medical records, financial information and much more.

The cybersecurity expert Susan Landau, writing on the prominent blog Lawfare, called Comey’s vision of a security flaw only the US government could exploit “magical thinking”.

Comey is aided in his fight against encryption by two allies, one natural and the other accidental. The natural ally is the National Security Agency director, Michael Rogers, who in February sparred with Yahoo’s chief of information security when the Yahoo official likened the anti-crypto push to “drilling a hole in the windshield”, saying: “I just believe that this is achievable. We’ll have to work our way through it.” The Guardian, thanks to Edward Snowden’s disclosures, revealed in September 2013 that the NSA already undermines encryption.

The less obvious ally is China, whom the FBI blamed last month for stealing a massive hoard of federal personnel data.

In May, China unveiled a national security law calling for “secure and controllable” technologies, something US and foreign companies fear is a prelude to a demand for backdoor entry into companies’ encryption software or outright provision of encryption keys.

Without ever mentioning his own FBI director’s and NSA director’s similar demands, Barack Obama castigated China’s anti-encryption push in March. Obama has also declined to criticize efforts in the UK, the US’s premier foreign ally, to undermine encryption. Prime minister David Cameron is proposing to introduce legislation in the autumn to force companies such as Apple, Google and Microsoft to provide access to encrypted data.

Under questioning from some skeptical senators, Comey made a number of concessions. When Ron Wyden, an Oregon Democrat, asked if foreign countries would attempt to mandate similar access, Comey replied, “I think they might.” The director acknowledged that foreign companies, exempt from any hypothetical US mandate, would be free to market encryption software.
In advance of Comey’s testimony, several of the world’s leading cryptographers, alarmed by the return of a battle they thought won during the 1990s “Crypto Wars”, rejected the effort as pernicious from a security perspective and technologically illiterate.

A paper they released on Tuesday, called “Keys Under Doormats”, said the transatlantic effort to insert backdoors into encryption was “unworkable in practice, raise[s] enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm”.

Asked by Feinstein if the experts had a point, Comey said: “Maybe. If that’s the case, I guess we’re stuck.”

Kevin Bankston of the New America Foundation called into question the necessity of Comey’s warnings that encryption would lead to law enforcement “going dark” against threats. Bankston, in a Tuesday blogpost, noted that the government’s latest wiretap disclosure found that state and federal governments could not access four encrypted conversations out of 3,554 wiretapped in 2014.

Yet Yates said both that the Justice Department was “increasingly” facing the encryption challenge and that she lacked the data quantifying how serious the challenge was. Yates told the Senate judiciary committee that law enforcement declined to seek warrants in cases of encrypted communications and did not say how often it made such a decision.

OpenSSL to Patch Critical Mystery Bug on Thursday

OpenSSL to Patch Critical Mystery Bug on Thursday

The OpenSSL project team has sent a rather cryptic alert that it will be patching a high severity bug this Thursday, July 9.

The announcement is terse: “The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity.  This defect does not affect the 1.0.0 or 0.9.8 releases.”

Unfortunately, the mystery bug is likely to be a big deal. OpenSSL is a security standard encrypting communications between users and the servers provided by a majority of online services. As such, it’s a basic component of a wide swath of the web, affecting various applications and systems, and even embedded devices. That’s one of the reasons why the Heartbleed flaw took months and months to patch even after an update was released.

Heartbleed, a mistake written into OpenSSL, made it viable for hackers to extract data from massive databases containing user names, passwords, private data and so on.

According to OpenSSL’s security policy, “high-severity” flaws are those that affect common configurations and are likely to be exploitable. These can range from server denial-of-service to significant leak of server memory to remote code execution.

“This type of a pre-announcement is intended to give organizations a chance to prepare,” Tim Erlin, director of IT security and risk strategy at Tripwire, said via email. “A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches. In this case, a little organization can go a long way to a smoother patching cycle. Software vendors who use OpenSSL can be prepared to patch their code and ship new versions faster, and end-users can inventory where they have OpenSSL and set up appropriate testing environments ahead of time.”

FBI director James Comey calls for ‘robust debate’ to limit digital encryption to combat terror groups

FBI director James Comey calls for 'robust debate' to limit digital encryption to combat terror groups

FBI director James Comey has called for public debate on the use of encrypted communications, claiming Americans may not realise how radical groups and criminals are using the technology.

Mr Comey’s comments in a blog post appeared to seek further public support for his view — first expressed last year — that improved encryption being developed for digital devices could hinder the efforts of US law enforcement and intelligence operations.

While the FBI chief’s comments sparked criticism in the tech community and among civil liberties activists, Mr Comey said US citizens may not realise how Islamic State (IS) militants used encryption to avoid detection.

“When the government’s ability… to see an individual’s stuff goes away, it will affect public safety,” he wrote on the Lawfare blog. “That tension is vividly illustrated by the current ISIL threat, which involves ISIL operators in Syria recruiting and tasking dozens of troubled Americans to kill people,” he wrote using another acronym to refer to the militant group.

“It is a process that increasingly takes part through mobile messaging apps that are end-to-end encrypted, communications that may not be intercepted, despite judicial orders under the Fourth Amendment.”

He added that criminal probes may also be affected because “there is simply no doubt that bad people can communicate with impunity in a world of universal strong encryption”.

The FBI chief and other US officials began expressing concern last year after Google and Apple announced plans to lock communications, leaving keys only in users’ hands, in a way that would prevent access by law enforcement even with a warrant.

Those moves came after an outcry over revelations from former intelligence contractor Edward Snowden exposing vast electronic surveillance programs by the US and its allies.

Mr Comey said in his blog post that “the logic of encryption will bring us, in the not too distant future, to a place where devices and data in motion are protected by universal strong encryption… in such a way that permits access only by participants to a conversation or the owner of the device holding the data”.

He noted that “there are many benefits” to encryption, saying it can protect “our innovation, our private thoughts, and so many other things of value, from thieves of all kinds”. But he added that the public should consider the trade-offs of allowing access to the government under certain conditions.

“Democracies resolve such tensions through robust debate,” Mr Comey said. “It may be that, as a people, we decide the benefits here outweigh the costs and that there is no sensible, technically feasible way to optimise privacy and safety in this particular context.”

“Those are decisions Americans should make, but I think part of my job is make sure the debate is informed by a reasonable understanding of the costs.”

Folder Encryption Software – Ace Secret Folder Has Been Updated to Version 6.66

Ace Secret Folder, a professional folder encyption software, has been updated to version 6.66 recently. In this new version, we have made great improvements, such as fixed some major and minor bugs. Besides, we enhanced the password hint, the encryption efficiency and strength, and the user interface.

Change Log of Ace Secret Folder 6.66:

File Name: Ace Secret Folder

Version: 6.66

File Size: 2.96MB

Language: English

License: Trial Version

OS Support: Win2000/XP/VISTA/Win 7/Win 8

Released on: Jun.26, 2015

Download Address: http://www.dogoodsoft.com/ace-secret-folder/free-download.html

What’s New in This Version:

– Fixed bug unable to change the software skin promptly;

– Fixed bug that software ID exception in specific systems;

– Fixed 5 minor bugs;

* Improved password hint;

* Improved efficiency and strength for Password Protection and Hiding Protection;

* Enhanced software interface for XP.

Folder Encryption Software - Ace Secret Folder Has Been Updated to Version 6.66Why Choose Ace Secret Folder:

Ace Secret Folder is a folder encryption application that makes your folder “secret” and invisible, providing a strong shield to protect your important documents and privacy. It has four main features.

(1) Invisible and without any trace after installation

Ace Secret Folder becomes unseen and without any trace after installation; no one can perceive its existence.

(2) Simple Hotkey Invocation

After Ace Secret Folder is installed, use the shortcut key “Ctrl +Alt + H” to quickly invoke the folder encryption software, so as to encrypt or decrypt a folder. You can set your own software hotkey to hide your secret even deeper.

(3) Folders disappear after encryption

A folder encrypted with Ace Secret Folder becomes completely invisible and disappears from your computer. It can only be opened or decrypted with this folder encryption software.

(4) Fast encryption and decryption

All encryption and decryption in Ace Secret Folder are done in just seconds regardless of the number and size of folders.

Professional Folder Encryption Software – Easy Folder Guard Updated to Version 9.01 Recently

Easy Folder Guard is an excellent folder encryption software that protects your personal folders from prying eyes. You can choose to password-protect, disguise or hide your folders, or protect computer drives t suit you needs.

Change Log of Easy Folder Guard 9.01:

File Size: 2.62MB

Version: 9.01

Released on: July 2, 2015

Category: Encryption Software

Language: English

License: Trial version

Download Address: http://www.dogoodsoft.com/easy-folder-guard/free-download.html

What’s New in This Version:

– Fixed bug error showing password hint;
– Fixed bug unable to auto-close the skin change menu;
– Fixed two minor bugs.

Professional Folder Encryption Software - Easy Folder Guard Updated to Version 9.01 Recently

Why Choose Easy Folder Guard:

Easy Folder Guard protects folder with three methods: Password-protect, Hide and Disguise.

For password protection, the password is required to open a password-protected folder, and the password works in any environment. A password-protected folder will be restored to protected status after use and you don’t have to protect it agian. Besides, the password-protected folder is delete-proof, copy-proof and remove-proof.

For a hidden folder, it cannot be found in any environment except in Easy Folder Guard, and the hidden folder will be restored to hidden status automatically after use.

A disguised folder is invisible and you cannot see the original contents in the folder when it is disguised. Besides, a disguised folder will be disguised automatically after use.

In addition, Easy Folder Guard allows you to protect a disk (such as a floppy disk, a hard disk or a CD-ROM) as you wish. It also can disable USB storage devices or set them as read-only.

File Encryption Software Best Encryption Expert Has Been Updated to Version 12.05

The professional file and folder encryption software – Best Folder Encryptor, has been updated to the version 12.05. In this new version, we fixed some minor bugs.

Change Log of Best Encryption Expert 12.03:

File Name: Best Encrypiton Expert

Version: 12.05

File Size: 3.96MB

Category: File/Folder Encryption Software

Language: English

License: Trial version

System Requirements: Win2000/XP/VISTA/Win 7/8

Released on: Jun.15, 2015

Download Address: http://www.dogoodsoft.com/best-encryption-expert/free-download.html

What’s New in This Version:

– Fixed two minor bugs.

File Encryption Software Best Encryption Expert Has Been Updated to Version 12.05Why Choose Best Encryption Expert:

Best Encryption Expert is a powerful file and folder encryption utility mainly for users who often encrypt important files and folders. Best Encryption Expert features super fast and most powerful file and folder encryption. With advanced encryption algorithms, its encryption on your files and folders can be super strong and is faultless. Encrypted files and folders cannot be decrypted without the password, and can be prevented from deletion, copying and removal!

DoGoodSoft Recently Updated Best Disk Lock to Version 2.59

Best Disk Lock is a powerful utility that can completely hide hard disk partitions and CD-ROM drives on your PC, and disable USB storage devices or set them as read-only. In this new version, we have fixed three bugs and made minor enhancements for Best Disk Lock.

Change Log of Best Disk Lock:

File Size: 3.55MB

Version: 2.59

Released on: Jun.23, 2015

Category: System Security Software

Language: English

License: Trial version

Download Address: http://www.dogoodsoft.com/best-disk-lock/free-download.html

What’s New in This Version:

* Enhanced software interface for XP;

– Fixed three minor bugs.

DoGoodSoft Recently Updated Best Disk Lock to Version 2.59

Why Choose Best Disk Lock:

Best Disk Lock is a powerful utility with which you can completely hide disk partitions and CD-ROM drives on your PC, and disable USB storage devices or use them in read-only mode. A partition hidden by Best Disk Lock cannot be found in any environment by anyone except you, so the security and confidentiality of the data stored in your partition can be ensured. It can also be used to configure the security of your computer system and optimize the system. Besides, it allows you to run tools that come with the system conveniently without entering various commands.

How to recover a saved Wi-Fi password on Android within minutes?

How to  recover a saved Wi-Fi password on Android within minutes?

Every now and then you end up with a blanked face when a friend visits your place and tries to connect to your Wi-Fi, while you cannot seem to recall the password, since most default passwords are a combination of letter and numbers.

While you feel rather helpless, you need to know that there are certain ways thanks to which you can retrieve the password within minutes, accessible via PC and rooted Android devices.

First up, let’s take a look at how it is done via PC.

1. On the desktop, look up the Wi-Fi signal present in the bottom-right corner of your screen, next to the time and date. Click on the icon, and a pop-up should appear where you ought to click “Open Network and Sharing Center.”

2. The center should open and under your active networks, you should see the Wi-Fi you are connected to. Click, and a new window, named Wi-Fi Status would open.

3. In the window, click on the Wirless Properties button, and you should land at another window, the last one.

4. A new window, named TitanGate Wirless Network Properties would open, featuring two tabs; connection, and security. Choose the latter, and you should land on the screen from where you can retrieve your password.

5. The network security key holds your password, although it is hidden, showing asterisks. Check the show characters box, and you are done.

In case you happen to have the Wi-Fi saved on your Android device only, and not your PC, you could still retrieve it without having to worry much. However, you need to have a rooted device to be able to retrieve your password. If you happen to have one, follow these simple steps, and you should be able to get the job done with ease.

1. Make your way to the Google Play Store, and get your hands on any root explorer. If you wish to go by our word, we suggest you download Root Browser which is available for free.

2. Once the installation completes, open the app and you should be exposed to a list of folders.

3. Head to data > misc. > Wi-Fi.

4. In the Wi-Fi folder, look up, and open the file named “wpa_supplicant.conf”

5. When prompted, choose the RB Text Editor to view the file.

6. In the following screen, you would be exposed to cryptic codes, where you ought to look out for the Wi-Fi.

7. It should be under “network={“ with the ssid signifying the Wi-Fi you are connected to, and the psk being the password.

Software developers are not carrying out encryption properly

Software developers are not carrying out encryption properly

Despite a big push over the past few years to use encryption to combat security breaches, lack of expertise among developers and overly complex libraries have led to widespread implementation failures in business applications.

The scale of the problem is significant. Cryptographic issues are the second most common type of flaws affecting applications across all industries, according to a report this week by application security firm Veracode.

The report is based on static, dynamic and manual vulnerability analysis of over 200,000 commercial and self-developed applications used in corporate environments.

Cryptographic issues ranked higher in prevalence than historically common flaws like cross-site scripting, SQL injection and directory traversal. They included things like improper TLS (Transport Layer Security) certificate validation, cleartext storage of sensitive information, missing encryption for sensitive data, hard-coded cryptographic keys, inadequate encryption strength, insufficient entropy, non-random initialization vectors, improper verification of cryptographic signatures, and more.

The majority of the affected applications were Web-based, but mobile apps also accounted for a significant percentage.

Developers are adding a lot of crypto to their code, especially in sectors like health care and financial services, but they’re doing it poorly, said Veracode CTO Chris Wysopal.

Many organizations need to use encryption because of data protection regulations, but the report suggests their developers don’t have the necessary training to implement it properly. “It goes to show how hard it is to implement cryptography correctly,” Wysopal said. “It’s sort of an endemic issue that a lot of people don’t think about.”

Many developers believe they know how to implement crypto, but they haven’t had any specific training in cryptography and have a false sense of security, he said. Therefore, even though they end up with applications where encryption is present, so they can tick that checkbox, attackers are still able to get at sensitive data.

And that doesn’t even touch on cases where developers decide to create their own crypto algorithms, a bad idea that’s almost always destined to fail. Veracode only tested implementations that used standard cryptographic APIs (application programming interfaces) offered by programming languages like Java and .NET or popular libraries like OpenSSL.

Programming languages like Java and .NET try to protect developers from making errors more than older languages like C, said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email.

“However, many people argue that since modern languages are easier to program in and protect programmers more from making mistakes, more of them may be lulled into a false sense of security and not show proper care when coding, i.e. increasing the risk of introducing other types of problems like design and logic errors. Not implementing crypto properly would fall into that category,” Eiram said.

Too many programmers think that they can just link to a crypto library and they’re done, but cryptography is hard to implement robustly if you don’t understand the finer aspects of it, like checking certificates properly, protecting the encryption keys, using appropriate key sizes or using strong pseudo-random number generators.

“All this ultimately comes down to better education of programmers to understand all the pitfalls when implementing strong crypto,” Eiram said.

But it’s not only the developers’ fault. Matthew Green, a professor of cryptography engineering at Johns Hopkins University in Baltimore, thinks that many crypto libraries are “downright bad” from a usability perspective because they’ve been designed by and for cryptographers. “Forcing developers to use them is like expecting someone to fly an airplane when all they have is a driver’s license,” he said via email.

Green believes that making cryptographic software easier to use — ideally invisible so that people don’t even have to think about it — would be a much more efficient approach than training developers to be cryptographers.

“We don’t expect developers to re-implement TCP [a core Internet protocol] or the entire file system every time they write something,” he said. “The fact that current crypto APIs are so bad is just a reflection of the fact that crypto, and security in general, are less mature than those other technologies.”

The authors of some cryptographic libraries are aware that their creations should be easier to use. For example, the OpenSSL project’s roadmap, published last June, lists reducing API complexity and improving documentation as goals to be reached within one year. While not disputing that some crypto libraries are overly complex, Eiram doesn’t agree that developers need to be cryptographers in order to implement crypto correctly.

The crypto APIs in Java and .NET — the programming languages most used by the apps covered in Veracode’s report — were designed specifically for developers and provide most of what they need in terms of crypto features when developing applications in those languages, Eiram said.

“While it’s always preferable that libraries including crypto libraries are made to be used as easily as possible, the programmers using them ultimately need to at least understand on a high level how they work,” he said. “I really see it as a two-way street: Make crypto as easy to use as possible, but programmers having to implement crypto in applications should also properly educate themselves instead of hoping for someone to hold their hand.”

In addition to the lack of crypto expertise among developers and the complexity of some crypto libraries, forgetting to turn security features back on after product testing is another common source of failures, according to Green. For example, developers will often turn off TLS certificate validation in their testing environments because they don’t have a valid certificate installed on their test servers, but then forget to turn it back on when the product moves into production.

“There was a paper a couple of years back that found a huge percentage of Android applications were making mistakes like this, due to a combination of interface confusion and testing mistakes,” Green said.

The failure to properly validate TLS certificates was commonly observed by Veracode during their application security tests, according to Wysopal, and the CERT Coordination Center at Carnegie Mellon University has found that a lot of Android applications have the same problem.

Over the past few years there’s been a strong push to build encryption both into consumer applications, in response to revelations of mass Internet surveillance by intelligence agencies, and into enterprise software, in response to the increasing number of data breaches. But while everyone, from the general public to the government, seems to agree that encryption is important and we should have more of it, little attention is being paid to how it’s actually implemented into products.

If the situation doesn’t improve, we risk ending up with a false sense of security. We’ll have encryption built into everything, but it will be broken and our sensitive data will still be vulnerable to spies and would-be thieves.

DoGoodSoft Recently Released the Latest Version of PC Monitor Expert 1.65

The well-known computer monitoring software PC Monitor Expert has been updated to the version 1.65, in which fixed a serious problem and some minor bugs.

Change Log of PC Monitor Expert:

File Name: PC Monitor Expert

Version: 1.65

File Size: 3.79

Category: Computer Monitoring Software

Language: English

License: Trial version

System Requirements: win xp/vista/win 7/win 8

Released on: May 18, 2015

Download Address: http://dogoodsoft.com/pc-monitor-expert/free-download.html

What’ New in This Version:

– Fixed a bug that the action checking Records Storage Folder can be tracked by Recent Places;

– Fixed two bugs.

DoGoodSoft Recently Released the Latest Version of PC Monitor Expert 1.65Why Choose PC Monitor Expert:

Stealth operation: PC Monitor Expert cannot be found on the monitored computer. The monitoring software becomes invisible without any trace after installation, and it can monitor the object monitored computer secretly without letting anyone know. You can launch it by pressing hot key “Ctrl + Alt + U”.

Powerful monitoring: PC Monitor Expert can monitor all activities and operations on the object monitored computer, record every keystroke typed, screen content, window opened, and log computer idle time. Besides, it has powerful control function which allows you to prohibit specific window or software.

Pure software design: This program has no special requirement on computer or network, neither imposes any influence on them.

Protect user’s privacy: For all customers using our monitoring software, we promise that your private and personal information are highly protected and won’t be disclosed to any other people.

Superb after-sales service: With professional technical personnel, we provide overall, sound and considerate customer service.

Version feature: Monitor and control object monitored computer.

Application field: Monitor and control all activities and operations on the monitored computer.

Network requirement: PC Monitor Expert permits you monitor an object computer even without internet access. You can view monitored records on the object monitored computer or send the report to an e-mail you specified and check it on another computer.