Google Hangouts doesn’t use end-to-end encryption

Google Hangouts doesn't use end-to-end encryption

If you’re using Google Hangouts as your main messaging service, you might want to know that Hangouts doesn’t use end-to-end encryption (E2EE), a must-have feature for messaging services in the post-Snowden world.

This was recently confirmed during a Reddit Ask Us Anything (AUA) session by Google’s Richard Salgado, Director for Law Enforcement and Information Security, and David Lieber, Senior Privacy Policy Counsel.

As far as messaging services go, end-to-end encryption is a method of encrypting data so that only the sender and the recipient of a certain message can make sense of the data being transferred. The main thing to bear in mind is that the provider of an E2EE-encrypted messaging service cannot view the messages itself, as the data is encrypted and decrypted locally by the sender and the recipient.

While the service provider has access to the bits of information that are transmitted between the sender and the recipient, this data looks like complete gibberish without the encryption key. It’s worth noting that Whatsapp, the largest messaging service in the world, uses end-to-end encryption, as does Apple’s iMessage.

The two Google representatives confirmed that Hangouts only uses in-transit encryption, a method that prevents ISPs and telecom operators from peeking at the messages. Long story short, Google can intercept Hangouts conversations when ordered by law enforcement agencies and governments.
Google previously revealed that requests for user data coming in from governments across the globe rose one and a half times over the past five years, although the company did not break down the numbers by service.

Google admits Hangouts doesn’t use end-to-end encryption, opening the door for government wiretaps

Google admits Hangouts doesn't use end-to-end encryption, opening the door for government wiretaps

If you’re really worried the government may be keeping tabs on your conversations, then you’d best avoid Hangouts.

According to Motherboard, a Google representative confirmed that Hangouts conversations are only encrypted “in transit,” meaning after the message arrives at the intended recipient Google could access it if forced to do so by a government wiretap.

The question arose from a Reddit AMA with two senior members of Google’s public policy and legal team. An ACLU representative pinned them down about encryption, but wasn’t able to get them to detail if all messages were encrypted from end-to-end.

Richard Salgado, Google’s director for law enforcement and information security, and David Lieber, the senior privacy policy counsel, would only confirm the in-transit encryption. Salgado reaffirmed the government’s prerogative to order such surveillance: “There are legal authorities that allow the government to wiretap communications.”

In reality, such wiretaps are rare. Google’s transparency report details only seven wiretap orders for nine accounts in the first half of 2014, the most recent data available because the U.S. government requires a six-month waiting period.

Why this matters: Apple has touted the privacy of iMessage as another advantage to the security conscious over Android. Other messaging platforms, like the Mark Cuban-backed Cyber Dust, also promise secrecy. Google may not see this extra step as necessary until a backlash arises from those who want more privacy from their Hangouts conversations.

Flawed encryption leaves millions of smart grid devices at risk of cyberattacks

Flawed encryption leaves millions of smart grid devices at risk of cyberattacks

Millions of smart meters, thermostats, and other internet-connected devices are at risk of cyberattacks because they come with easily crackable encryption, a study has warned.

A paper by Philipp Jovanovic and Samuel Neves published in late April analyzed the cryptography used in the Open Smart Grid Protocol (OSGP), a group of specifications published by a European telecoms standards body. The protocol is used in more than four million devices, and said to be one of the most widely used protocols for smart devices today.

The results? Not great.

The researchers found that the “weak cryptography” can easily be cracked through a series of relatively simple attacks. In one case, the researchers said they could “completely” defeat a device’s cryptography.

The most common and trusted encryption standards use well-established, peer-reviewed cyphers that are open-source and readily available to inspect. Some have argued it’s the “first rule” of crypto-club. The problem for smart grid devices is that they don’t stand up to the scrutiny of the community.

The OSGP Alliance, the non-profit group behind the OSGP protocol, said last month it’s preparing an update to the specifications to add new security features.

“The alliance’s work on this security update is motivated by the latest recommended international cybersecurity practices, and will enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms,” the post read.

We reached out to the OSGP Alliance, but did not hear back outside business hours.

Chinese Version of PC Monitor Expert Updated to Version 1.63

PC Monitor Expert is designed to record all the computer activities, which works as a good helper for parents and computer administrators. For some bugs in the version 1.62 that brought the inconvenience to software users, we have upgraded PC Monitor Expert to version 1.63.

Update information of PC Monitor Expert:

File Name: PC Monitor Expert

Version:   V1.63

File Size:   3.72MB

Category:   Computer monitoring software

Language:  Chinese

License:  Trial version

Running on: Win XP/ Vista/7/8

Released on: Apr. 23, 2015

Download from: http://www.jiamisoft.com/pcsc/download.html

What’s new in this version:

+ added screenshot support for the ransparent windows;

* refined the email sending data of monitoring information, improved email sent rate;

– fixed a bug in Email Settings;

* improved the generation of computer machine code.

Chinese Version of PC Monitor Expert Updated to Version 1.63

Main features of PC Monitor Expert:

1)Stealth operation: PC Monitor Expert cannot be found on the monitored computer. The monitoring software becomes invisible without any trace after installation, and it can monitor the object monitored computer secretly without letting anyone know. You can launch it by pressing hot key “Ctrl + Alt + U”.

2)Keystrokes Input Records: PC Monitor Expert can monitor all typed keystrokes, including Chinese, English, figures and functional keys. MSN or QQ chats, IMs, e-mail sent, usernames and passwords logged on some websites or e-mail can also be recorded(Warning: please DO NOT use this monitoring software for illegal use. This software won’t record sensitive passwords like QQ or MSN password).

3)Computer Screenshots Capture: Take screenshot of QQ or MSN chats window, active window or the entire compter screen. The monitored screenshots can be played automatically when you view them.

4)Opened Windows Monitoring and Control: Record all titles of opened window and the time they were opened. Prohibit opening windows containing specific block keywords in the title. For example, if you want to keep your children away from some adults contents, you can add adult contents as keyword to the prohibited list. In this way, all windows containing adults contents will be filtered automatically and PC Monitor Expert will forcibly close such web pages. Besides, this software can also record the action you open a prohibited window and opening time.

5)Running Programs Monitoring and Control: Prohibit software you specified (PC Monitor Expert has pre-configured over 30 game software). If a prohibited program is detected, PC Monitor Expert will forcibly shut it down and record this breach;

Prohibit chat software like MSN, QQ or Skype;

Prohibit using web browsers to view web pages;

Prohibit using download software to download;

Prohibit modifying system time;

Prohibit Task Manager(to prevent from ceasing active programs illegally), Registry or Control Panel etc.

6)Enhanced Functions: PC Monitor Expert can sent all monitored record (keystrokes, screenshot captured, active windows, and breaching behaviors and etc.) to a specific E-mail. You can conduct network monitoring as you wish. You can also set a password for this software and thus no one can modify settings or delete this software without the valid password. This software offers timed shutdown function with which you can schedule to shut down your computer at a certain time.

In addition, PC Monitor Expert supports disk control, which can better protect your important content.

New technology to help users combat mobile malware attacks

New technology to help users combat mobile malware attacks

As mobile phones increase in functionality, they are becoming increasingly ubiquitous in everyday life. At the same time, these devices also are becoming easy targets for malicious activities. One of the primary reasons for such malware explosion is user willingness to download applications from untrusted sources that may host apps with hidden malicious codes. Once installed on a smartphone, such malware can exploit it in various ways.

For example, it can access the smartphone’s resources to learn sensitive information about the user, secretly use the camera to spy on the user, make premium-rate phone calls without the user’s knowledge, or use a Near Field Communication, or NFC, reader to scan for physical credit cards within its vicinity. Such malware already is prevalent, and researchers and practitioners anticipate that this and other forms of malware will become one of the greatest threats affecting millions of smartphone users in the near future.

“The most fundamental weakness in mobile device security is that the security decision process is dependent on the user,” said Nitesh Saxena, Ph.D., the director of the Security and Privacy In Emerging computing and networking Systems (SPIES) Lab and an associate professor of computer and information sciences in the College of Arts and Sciences at UAB. “For instance, when installing an Android app, the user is prompted to choose whether or not the application should have permissions to access a given service on the phone. The user may be in a rush or distracted, or maybe it is the user’s kid who has the phone. Whatever the case may be, it is a well-known problem that people do not look at these warnings; they just click ‘yes.'”

Current operating systems provide inadequate security against these malware attacks, putting the burden of prevention upon the user. The current anti-virus systems are ineffective against such constantly evolving malware. UAB pursued research to find a mechanism that would defend against mobile malware that can exploit critical and sensitive mobile device services, especially focusing on the phone’s calling service, camera and NFC.

This study from researchers within the UAB College of Arts and Sciences Department of Computer and Information Sciences and Center for Information Assurance and Joint Forensics Research explains how natural hand gestures associated with three primary smartphone services — calling, snapping and tapping — can be detected and have the ability to withstand attacks using motion, position and ambient sensors available on most smartphones as well as machine learning classifiers.

If a human user attempts to access a service, the gesture would be present and access will be allowed. In contrast, if the malware program makes an access request, the gesture will be missing and access will be blocked.

To demonstrate the effectiveness of this approach, researchers collected data from multiple phone models and multiple users in real-life or near real-life scenarios, simulating benign settings and adversarial scenarios. The results showed that the three gestures can be detected with a high overall accuracy and can be distinguished from one another and from other benign or malicious activities to create a viable malware defense.

“In this method, something as simple as a human gesture can solve a very complex problem,” Saxena said. “It turns the phone’s weakest security component — the user — into its strongest defender.”

The research team believes that, in the future, transparent gestures associated with other smartphone services, such as sending SMS or email, also can be integrated with this system. The researchers also aim to commercialize this technology in the near future.

UAB graduate student Babins Shrestha, a researcher in UAB’s SPIES Lab, co-authored the article and is presenting the paper at PerCom. The other members who co-authored the paper include UAB doctoral student Manar Mohamed, UAB undergraduate student Anders Borg, and doctoral student Sandeep Tamrakar of Aalto University, Finland.

Key management is the biggest pain of encryption

Key management is the biggest pain of encryption

Most IT professionals rate the pain of managing encryption keys as severe, according to a new global survey by the Ponemon Institute.

On a scale of 1 to 10, respondents said that the risk and cost associated with managing keys or certificates was 7 or above, and cited unclear ownership of keys as the main reason. “There’s a growing awareness of the security benefits of encryption really accrue from the keys,” said Richard Moulds, vice president of product strategy at Thales e-Security, the sponsor of this report. “The algorithms that encrypt the data are all the same — what makes it secure is the keys.”

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

But as organizations use more encryption, they also end up with more keys, and more varieties of keys.

“In some companies, you might have millions of keys,” he said. “And every day, you generate more keys and they have to be managed and controlled. If the bad guy gets access to the keys, he gets access to the data. And if the keys get lost, you can’t access the data.”

Other factors that contributed to the pain were fragmented and isolated systems, lack of skilled staff, and inadequate management tools. And it’s hurting worse than before. “The proportion of people that rate it as higher levels of perceived pain is higher than last year,” said Moulds.

One reason that pain is increasing could be that encryption is becoming more ubiquitous, he said, embraced by industries and companies new to the challenges of managing keys and certificates.

According to the survey, which is now in its 10th year, the proportion of companies with no encryption strategy has declined from 38 percent in 2005 to 15 percent today. Meanwhile, the share of companies with an encryption strategy applied consistently across the entire enterprise has grown from 15 percent to 36 percent. The biggest growth last year was in healthcare and retail, two sectors hit by major public security breaches.

In the health and pharmaceutical industry, the share of companies with extensive use of encryption jumped from 31 to 40 percent. In retail, it rose from 21 to 26 percent. However, for the first time in the history of the survey, the proportion of the IT budget going to encryption has dropped. Between 2005 and 2013, it climbed steadily from 9.7 percent to 18.2 percent, but dropped to 15.7 percent in this year’s report.

The biggest driver for encryption was compliance, with 64 percent of respondents saying that they used encryption because of privacy or data security regulations or requirements.

Avoiding public disclosure after a data breach occurs was only cited as a driving factor by 9 percent of the respondents. Data residency, in which some countries allow protected data to leave national borders only if it’s encrypted, didn’t even make the list.

“It didn’t rank as high on the list of motivators as you would have thought,” said Moulds. “But data residency is an increasing driver, and I think it’s going to be a big driver in the future.”

DHS Chief Says Encryption Threatens National Security

DHS Chief Says Encryption Threatens National Security

Department of Homeland Security (DHS) secretary Jeh Johnson wants the government to work more closely with tech companies on security issues, but it also wants them to dial back their security encryption efforts. Johnson made his comments Tuesday in front of a packed house at the RSA conference in San Francisco, one of the world’s largest annual cybersecurity gatherings.

Johnson defended the Obama administration’s ongoing stance, maintaining that tougher encryption by tech firms imposed in the wake of the National Security Agency’s spying scandal will make it tougher to stop crime.

“The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security,” he said. “Encryption is making it harder for your government to find criminal activity, and potential terrorist activity.”

President Barack Obama has spoken out in support of strong encryption, but has also advocated for a legal framework that gives government access to data. Officials at the FBI, DHS and the National Security Agency have been more direct about limiting encryption. They fear encryption has created situations that prevent government agencies from accessing digital data even when armed with warrants.

“Let me be clear,” Johnson said. “I understand the importance of what encryption brings to privacy. But, imagine the problems if, well after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail.”

Nightmare Scenario

We reached out to John Kindervag, vice president and principal analyst at Forrester Research Inc., who told us Johnson’s proposal was a “nightmare scenario.”

“In the digital age everyone is going to have to live with the reality that most data should be encrypted,” said Kindervag. “It is too dangerous to try to figure out ways to put back doors into systems that only governments can access. Shouldn’t we have learned something from the Snowden debacle?”

Justice Department officials warned Apple last fall that children will die if police aren’t able to get into suspects’ iPhones because of the company’s encryption. As Johnson told the RSA crowd, “Our inability to access encrypted information poses public safety challenges.”

The White House is preparing a report that will outline various options to ensure law enforcement can bypass encryption during criminal or national security investigations. That report is expected later this month.

“We in government know that a solution to this dilemma must take full account of the privacy rights and expectations of the American public, the state of the technology, and the cybersecurity of American businesses,” Johnson said.

An Old Story

Kindervag said similar tension has existed since the early days of the widely used e-mail encryption software Pretty Good Privacy, when co-founder Philip Zimmerman had to fight the government regarding encryption. That’s because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread worldwide. The government dropped its investigation into Zimmerman’s practices in 1996.

“The assumption of some governmental entities that they can gain omniscience through surveillance just doesn’t work anymore,” said Kindervag. “There is massive amounts of data that belong to private citizens that should not be read by other entities without the citizens’ direct permission.”

Google is Keeping the NSA Out of Your Data, Eric Schmidt Brags

Google is Keeping the NSA Out of Your Data, Eric Schmidt Brags

Google (GOOGL) Chairman Eric Schmidt boasted on Wednesday about how improving the encryption of Google’s products has successfully shut out warrantless surveillance by the NSA and other law enforcement. Schmidt talked about the encryption advances, and how former NSA contractor Edward Snowden’s leaks prompted them, at BoxDev, a yearly developers conference for Box.

“When the Snowden revelations came out, we were very, very upset,” Schmidt told Aaron Levie, CEO of Box. “They never said anything to us. So we embarked upon a program to fully encrypt the information that our customers entrusted to us.”

Encryption makes it very difficult or impossible for information passed electronically to be deciphered, either by the NSA or even by the company doing the encryption. Snowden’s leaks showed how the NSA uses warrantless mass surveillance of metadata, which Schmidt argued went beyond proper use of the Patriot Act. He and other tech company leaders started boosting their encryption to keep the security agencies from being able to read any email or communication without a warrant. Now encryption is not just a Google project, and it appears to be working.

“Apple and others did the same,” Schmidt said. “And we know our program works, because all the people doing the snooping are complaining about it.”

He’s right about that. FBI Director James Comey told Congress that they should ban phone encryption because of how it helps criminals get away with their crimes. The surveillance is party of what the tech and Internet industry wants to see changed in the Patriot Act and why they are hoping it won’t be renewed in its present form.

U.S. Secretary Of Homeland Security Warns About The Dangers Of Pervasive Encryption

U.S. Secretary Of Homeland Security Warns About The Dangers Of Pervasive Encryption

In a speech at cybersecurity conference RSA, U.S. Secretary of Homeland Security Jeh Johnson outlined the government’s discomfort with increasing implementation of encryption by technology companies, and what impact the shift might have on national security.

While tech firms like Apple are advancing encryption to an increasingly broad set of consumer activities, the government is concerned that it could increasingly be locked out from the communications, and the intentions, of threats to national security.

The issue of encryption, who should hold the controlling keys, and if American technology companies should be compelled to provide special access to consumer data to the United States government are issues as old as they are controversial. The common argument against any weakening of encryption is that there are no unexploitable weaknesses — if Google were to craft a back or front door for the U.S. government, it’s impossible to keep that same entryway free from other parties.

After asking for “indulgence” and “understanding,” the secretary said during his remarks that the “current course [the technology industry is on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security.”

In the secretary’s view, the nation’s “inability to access encrypted information poses public safety challenges.” Ignoring the mild irony behind that comment — why else would you choose to encrypt data? — the government employee continued: “In fact, encryption is making it harder for your government to find criminal activity and potential terrorist activity.”

Johnson concluded with a colorful description of privacy and freedom, calling them “the things that constitute our greatest homeland security.”

His remarks were very similar to President Barack Obama’s in an interview earlier this year with Re/code’s Kara Swisher. The president said that while he was more in favor of encryption than most in law enforcement, he also recognized the problems it posed for those agencies. Both Obama and Johnson spoke about the importance of privacy when facing tech-oriented audiences, but failed to take a strong stance in its defense.

The Homeland Security secretary weighs in on this issue as White House aides are investigating encryption and preparing to report back to the president this month. In a recent speech at Princeton University,NSA chief Michael Rogers argued law enforcement should have front door access with multiple locks. He argued government abuse of this access could be avoided by splitting multiple keys among separate agencies.

But Jeff Williams, the CTO of Contrast Security, tells TechCrunch that such an approach is impossible. He argued that it would be impossible for the government to create technology that would allow it front door access to all communications devices and splitting such a tool among agencies would be inefficient and ineffective. He also said a split key could still be thwarted by super-encryption.

“Frankly the cat is out of the bag on secure encryption,” Williams said.

Even with the upcoming report to the president, it is unlikely Obama will take any measurable stand for Americans’ privacy rights. The private sector and law enforcement have volleyed back and forth on this issue for decades, now reigniting the exact same debate we saw in the early 1990s over the Clipper Chip. We’ve seen the White House take very little action on limiting the scope of the American intelligence apparatus, even in the wake of high-profile leaks from Edward Snowden.

Why would it start now?

The private sector has to keep improving encryption, as customers — particularly those outside the United States — worry about surveillance. But as these companies work to keep threats out of these devices, we can be certain that our law enforcement agencies are working just as fast to break into them.

With little public scrutiny over this technical issue, politicians have little incentive to stand up for privacy. Even with high-profile remarks such as those from Johnson today, it’s likely we’ll continue to see more of the status quo.

Google and Yahoo Encrypting Ad Network Connections

Google and Yahoo Encrypting Ad Network Connections

Google and Yahoo in separate announcements said they will individually encrypt ad network connections to reduce bot traffic and other types of ad fraud. The news coincides with the release of Malwarebytes Labs findings last week. Researchers found malvertising in Flash ads involving the DoubleClick ad network.

The two companies have support. The Interactive Advertising Bureau (IAB) continues to push the adoption of HTTPS ads and support encryption. In March, the IAB put out a call for the industry to adopt encryption. The industry trade group said many ad systems support HTTPS, but a member survey suggests that only 80% support the protocol. They called on the entire advertising supply chain to adopt practices, from ad servers and beacons to data partners and brand safety and verification tools.

Google said the majority of mobile, video, and desktop display ads on its Google Display Network, AdMob, and DoubleClick networks will become encrypted by June 30. Search on google.com is encrypted for a vast majority of users and the copany continues to work toward encrypting search ads across its systems.

YouTube ads have been encrypted since the end of last year, along with all searches, Gmail, and Drive. By the end of June, advertisers using AdWords and DoubleClick will serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.

Yahoo VP of Revenue Management and Ad Policy James Deaker describes in a blog post what he calls “perhaps the largest-ever transition to SSL encryption for any publisher with display ads.” Yahoo recently implemented an end-to-end encryption extension for Yahoo Mail,” and strengthening security everywhere else along the advertising supply chain will help to create a safer Internet.

Next week, Yahoo will host a Trust UnConference in San Francisco, bringing together industry experts to discuss how to build safe products.