DoGoodSoft's Official Blog

Google and Yahoo Encrypting Ad Network Connections

Google and Yahoo in separate announcements said they will individually encrypt ad network connections to reduce bot traffic and other types of ad fraud. The news coincides with the release of Malwarebytes Labs findings last week. Researchers found malvertising in Flash ads involving the DoubleClick ad network.

The two companies have support. The Interactive Advertising Bureau (IAB) continues to push the adoption of HTTPS ads and support encryption. In March, the IAB put out a call for the industry to adopt encryption. The industry trade group said many ad systems support HTTPS, but a member survey suggests that only 80% support the protocol. They called on the entire advertising supply chain to adopt practices, from ad servers and beacons to data partners and brand safety and verification tools.

Google said the majority of mobile, video, and desktop display ads on its Google Display Network, AdMob, and DoubleClick networks will become encrypted by June 30. Search on google.com is encrypted for a vast majority of users and the copany continues to work toward encrypting search ads across its systems.

YouTube ads have been encrypted since the end of last year, along with all searches, Gmail, and Drive. By the end of June, advertisers using AdWords and DoubleClick will serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.

Yahoo VP of Revenue Management and Ad Policy James Deaker describes in a blog post what he calls “perhaps the largest-ever transition to SSL encryption for any publisher with display ads.” Yahoo recently implemented an end-to-end encryption extension for Yahoo Mail,” and strengthening security everywhere else along the advertising supply chain will help to create a safer Internet.

Next week, Yahoo will host a Trust UnConference in San Francisco, bringing together industry experts to discuss how to build safe products.

Encryption Uncoded: A Consumers’s Guide

Concerned by reports of hacking, data breaches and government spying, companies and consumers are looking for better ways to protect their data. Many are turning to encryption, a method of encoding messages that goes back millennia. Encryption is commonly used to secure online banking sessions and to protect credit-card data. But for the average computer user, it remains a mystery.

Here’s a brief guide to help readers unlock its secrets.

How does encryption work?

If you saw the recent movie “The Imitation Game,” you’ve seen a rudimentary, by modern standards, form of encryption. During World War II, the Germans used a machine to turn military messages into coded strings of symbols. These days, computers running complex mathematical formulas can do the same thing much faster, and the codes are much harder to crack.

What’s it used for?

If you’ve ever done banking online, you may have noticed a “lock” icon in the address bar, or that the bar turned green. That means the browser session is encrypted by your bank.

Consumers can download a growing crop of encryption tools for texting, browsing sessions and video and phone calls. Users usually must download an app or install software that scrambles messages as they are sent. (The recipient needs to be using the same app or software to unscramble the message.)

Apple has started encrypting personal data on its latest mobile operating system, iOS 8. This means an outsider who hacks into a device or into Apple’s servers would see a string of unreadable characters instead of actual messages or FaceTime videos.

Can I encrypt email messages?

Yes, but it’s tricky. Sender and receiver must use the same type of encryption. If you have encryption switched on, but the friend you’re emailing doesn’t have it, he or she won’t be able to read your message.

Since the revelations of former National Security Agency contractor Edward Snowden about electronic eavesdropping by the NSA, big tech companies have made moves to add encryption. Yahoo Inc. and Google Inc. both have announced plans to begin encrypting emails of users of their services, but the projects are moving slowly.

Can encryption really protect me from getting hacked?
Maybe. If a hacker obtains the encryption keys, or the formula that unlocks the code, all that encrypting was for naught. And that happens all the time in corporate data breaches, says Avivah Litan, a vice president and senior analyst focusing on security issues at market-research firm Gartner Inc. For example, as part of the 2007 breach at TJX Cos., hackers stole a TJX point-of-sale card-reader system and brought it home. The hackers were able to break the code used to encrypt card transactions and stole data from tens of millions of customer accounts.

How can I get started?

In addition to Apple’s built-in encryption in its new mobile devices, Android users can download WhatsApp, which encrypts text messages. WhatsApp, a company owned by Facebook Inc., says it is working on offering encryption for all communication sent between WhatsApp users, including images, audio and text.

A number of vendors—including Voltage Security Inc., Protegrity and RSA Security, a unit of Corp.—offer encryption of corporate data, including email and credit-card records. Silent Circle’s Blackphone is a phone for corporate users that can send encrypted voice calls, text, emails and other data—if both parties are using a Blackphone.

Why isn’t everything encrypted?

There are plenty of reasons. Encryption is time-consuming and difficult to implement. It’s hard to properly manage who has access to encryption keys, and it slows system performance.

Online Extortionists Are Using Encryption as a Ransom Weapon

Most of the time we discuss encryption as a way to protect ourselves online , but an increasingly popular form of digital attack uses it as an extortion tool. Criminals are stealing personal files, encrypting them, and hold them hostage until their targets pay for the decryption key.

A report from security firm Symantec details a sharp rise “crypto-ransomware,” its term for this devious form of online crime, noting that these incidents were 45 times more common in 2014 than 2013, with over 340,000 people and organization unable to access files that had been encrypted by extortionists. Usually the extortionists ask their targets to pay in Bitcoin on a website accessible by Tor.

To infect computers, would-be criminals will send malicious e-mail attachments that look like bills or invoices. If you are foolish enough to open the attachment, you’re snared. It’s possible we’re seeing a rise in crypto-ransomware attacks because phishing emails where you’re tricked into opening a malware attachment or bad link are a major way that people get hacked .

There’s a growing underground economy devoted to carrying out crypto-ransomware attacks, with groups like Cryptolocker and Cryptowall selling their services. Your main line of defense is backing up all your files, since you won’t need to pay to get them back if you can just restore them. There are also services popping up to thwart crypto-ransomware, like Decryptolocker, which used a version of Cryptolocker to figure out how to decrypt files that Cryptolocker holds hostage. A service called Cryptoprevent is designed to stop this type of ransomware from a variety of different attackers.

Ransomware is still a relatively rare and aggressive cybercrime, so the likelihood of someone crypto-ransoming your vacation photos is low. No need to panic. Much more common: Phishing attacks of all kinds. A security report released by Verizon today underlines how often people fall for them. With phishing attacks, prevention is even simpler than backing up your files: Just don’t click on sketchy shit!

How to make Private Information safe under the Network Environment via Encryption Software

Recently, AT&T data leakage has led to 2.8 million of American customers’ private information revealed, including username, complete or partial social security number. AT&T agreed to pay a 25 million civil penalty to deal with the survey by FCC about the issue of violating customer privacy. Even though the case was settled, what it brought about cannot be made up for.

With the advent of the era of “Big Data”, the issue data leakage becomes more serious. The business can find all of our information easily, which is extremely horrible. So how to protect our information from prying eyes under the network environment?

1. Develop Self-Discipline for Network

Network is a virtual world, and we should strengthen the awareness of privacy protection. Do not register on some websites randomly, because it is always the users himself lost their own information. Meanwhile, develop self-protection consciousness is also important. Install legal antivirus program and firewall to avoid the hackers stealing your private files and properties. When shopping online, you must check the security of the link. Developing the good habit of network use can prevent your information from prying eyes efficiently.

2. Use Computer Hardware Technology

The leakage of private information under the network environment, sometimes is caused by someone’s interception and the problem happened in the transition. Here we can use the computer hardware technology to deal with. We take Best Encryption Expert as an example, to learn how it to protect your data security?

It is very easy to do, even if you are a newbie, you can do it by yourself.

1. Go to the website(www.dogoodsoft.com/best-encryption-expert/free-download.html)to download Best Encryption Expert and install it on your computer;

2. Right click the file or folder you want to encrypt, and then choose Best Encryption in the pop-up window;

3. Set your password, and select an encryption type, then click “OK”.

3. Learn Privacy Protection Skill

Only by relying on the science and technology, we can ensure the security of our information, like Firewall Technology. You can set a wall between the public and special network as required, to prevent hackers from attacking.

In a word, we should regard the network information technology completely. On the one hand, it is convenient for people to work and study; on the other hand, the unsafe factors also exist, which threatens the security of personal information. The most intelligent thing is to use a professional encryption software to encrypt your private information.

The NSA wants a multi-part encryption key for “front door” access to your data

The US National Security Agency (NSA) appears to be increasingly concerned about the growing adoption of encryption and its ability to thwart the agency’s surveillance efforts.

Now, after months of debate with tech firms about government access to encrypted data on smartphones and other devices, the NSA has proposed a solution which it hopes will strike a balance between its desire to know everything about everyone and the average law-abiding citizen’s right to privacy.

According to The Washington Post, that solution – put forward by NSA director Michael S. Rogers – lies in a multi-part encryption key, created by various tech companies, which could unlock any device.

Speaking at Princeton University recently, Rogers said the key could be broken into several parts, meaning no one agency or company would be able to use it without the co-operation of the others:

I don't want a back door. I want a front door. And I want the front door to have multiple locks. Big locks.

With the highly contentious Section 215 of the Patriot Act – legislation that has allowed mass eavesdropping from the security services – due to sunset on 1 June 2015, privacy rights groups and concerned members of the public have long been voicing their concerns about bulk data collection.

Add to that the fact that firms such as Apple, Google and Microsoft recently sent a letter to President Barack Obama which demanded an end to data collection, and you can probably see why the NSA is exploring more palatable alternatives.

The debate about encryption and government access comes about as tech companies continue to make customer privacy a key selling point for their products and services.

Companies like Apple – which recently took the decision to enable device encryption by default and made key promises to its customers concerning their privacy – are giving the NSA a real headache as the agency argues the need for government access to data to aid in the battle against crime and terrorism.

Edward Snowden, for his part, continues to lament the level of access the US government still has. At a ecret meeting at this year’s South by Southwest festival he urged tech companies to foil surveillance efforts through the development of better privacy tools.

But Rogers firmly believes that his proposal for a ‘front door’ is both sound and justified, allowing for access as and when required, while keeping data safe from would-be hackers and other forms of attack.

Of course, his view is not universally shared – Donna Dodson, chief cybersecurity adviser at the Commerce Department’s National Institute of Standards and Technologies pointed out that a master key still presents a risk, even if it is broken into parts held by different parties:

The basic question is, is it possible to design a completely secure system? There’s no way to do this where you don’t have unintentional vulnerabilities.

Privacy advocates and industry officials alike are not convinced by Rogers’ proposal either. Marc Zwillinger, a former Justice Department official now working as an attorney for tech companies on encryption-related matters, told the Post that law enforcement should not have the undeniable right to access every means of communication between two parties. He added:

I don’t think our Founding Fathers would think so, either.

The fact that the Constitution offers a process for obtaining a search warrant where there is probable cause is not support for the notion that it should be illegal to make an unbreakable lock. These are two distinct concepts.

Another Reason For Ubiquitous Web Encryption: To Neuter China’s “Great Cannon”

China’s web censorship machine, the Great Firewall, has a more offensive brother, researchers have declared today. Called the Great Cannon by Citizen Lab, a research body based at the University of Toronto, it can intercept traffic and manipulate it to do evil things.

In recent distributed denial of service (DDoS) attacks on code repository Github, the Great Cannon was used to redirect traffic intended for Baidu , the equivalent of Google in China, to hit two pages on the target site, including one that provided links to the Chinese-language edition of the New York Times. GreatFire.org, a website dedicated to highlighting Chinese censorship, was hit by a similar attack.

The Great Cannon only intercepts traffic to or from a specific set of targeted addresses, unlike the Great Firewall, which actively examines all traffic on tapped wires going in and out of China. According to Citizen Lab, in the recent DDoS hits, it intercepted traffic going to Baidu, and when it saw a request for certain JavaScript files on a Baidu server, it appeared to either pass the request on “unmolested”, as it did for 98 per cent of connections, or it dropped the request before it reached Baidu and sent a malicious script back to the requesting user, as it did nearly 2 per cent of the time. That malicious script would fire off traffic to the victims’ servers. With so many users redirected to the targets, the internet pipes feeding Github and GreatFire.org were clogged up, taking them offline. It was an effective, if blunderbuss, approach to censoring the targets.

But, as the researchers noted, the Great Cannon could be abused to intercept traffic and insert malware to infect anyone visiting non-encrypted sites within the reach of the attack tool. That could be done, said Citizen Lab, by simply telling the system to manipulate traffic from specific targets, say, all communications coming from Washington DC, rather than going to certain sites, as in the abuse of Baidu visitors. “Since the Great Cannon operates as a full man-in-the-middle, it would also be straightforward to have it intercept unencrypted email to or from a target IP address and undetectably replace any legitimate attachments with malicious payloads, manipulating email sent from China to outside destinations,” Citizen Lab added in its report released today.

The Great Cannon is not too dissimilar to QUANTUM, a system used by the National Security Agency and the UK’s GCHQ, according to the Edward Snowden leaks. So-called lawful intercept providers, FinFisher and Hacking Team, sell products that appear to do the same too, Citizen Lab noted.

But there’s one simple way to stop the Great Cannon and the NSA from infecting masses of users: encrypt all websites on the internet. The system would not be able to tamper with traffic that is effectively encrypted. The SSL/TLS protocols (which most users commonly use when on HTTPS websites rather than HTTP) drop connections when a “man-in-the-middle” like the Cannon is detected, whilst preventing anyone from peeking at the content of web communications.

There are some significant projects underway designed to bring about ubiquitous web encryption. Just this week, the Linux Foundation announced it would be hosting the Let’s Encrypt project, which seeks to make SSL certificates, which website owners have to own and integrate into their servers to provide HTTPS services, free and easy to acquire. It should be possible to grab these simple and (hopefully) secure certificates from mid-2015, though Josh Aas, executive director at the the Internet Security Research Group (ISRG), which runs Let’s Encrypt, would not say when exactly. It has some serious backers, including Akamai, Cisco, Electronic Frontier Foundation and Mozilla.

It’s unclear whether Let’s Encrypt would provide certificates to Chinese sites. “The default stance is that we want to issue to everyone – but we will have to comply with US laws… our legal team is looking into it.”

“There’s a lot of the web that isn’t encrypted,” added Jim Zemlin, executive director at The Linux Foundation. “We think that’s a big deal for internet security.”

Europol chief warns on computer encryption

A European police chief says the sophisticated online communications are the biggest problem for security agencies tackling terrorism. Hidden areas of the internet and encrypted communications make it harder to monitor terror suspects, warns Europol’s Rob Wainwright. “Tech firms should consider the impact sophisticated encryption software has on law enforcement”, he said.

A spokesman for TechUK, the UK’s technology trade association, said: “With the right resources and cooperation between the security agencies and technology companies, alongside a clear legal framework for that cooperation, we can ensure both national security and economic security are upheld.”

Mr Wainwright said that in most current investigations the use of encrypted communications was found to be central to the way terrorists operated. “It’s become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism,” he explained. “It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore.”

Mr Wainwright, whose organisation supports police forces in Europe, said terrorists were exploiting the “dark net”, where users can go online anonymously, away from the gaze of police and security services.

Secret messaging

But he is also concerned at moves by companies such as Apple to allow customers to encrypt data on their smartphones, and the development of heavily encrypted instant messaging apps is another cause for concern, he said.

This meant people could send text and voice messages which police found very difficult or impossible to access, he said.

“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet.[Tech firms] are doing it, I suppose, because of a commercial imperative driven by what they perceive to be consumer demand for greater privacy of their communications.”

Surveillance

Mr Wainwright acknowledged this was a result of the revelations by former National Security Agency contractor Edward Snowden, who exposed how security services were conducting widespread surveillance of emails and messages.

He said security agencies now had to work to rebuild trust between technology firms and the authorities.

The TechUK spokesman told the programme: “From huge volumes of financial transactions to personal details held on devices, the security of digital communications fundamentally underpins the UK economy.

“Encryption is an essential component of the modern world and ensures the UK retains its position as one of the world’s leading economies. “Tech companies take their security responsibilities incredibly seriously, and in the ongoing course of counter-terrorism and other investigations engage with law enforcement and security agencies.”

The programme also found evidence that supporters of the Islamic State (IS) are using encrypted sites to radicalise or groom new recruits.

On one blogging website, a 17-year-old girl who wants to become a “jihadi bride” is told that if she needs to speak securely she should use an encrypted messaging app. The family of 15-year-old Yusra Hussein from Bristol, who went to Syria last year, also believe she was groomed in this way.

Twitter terrorism

The extent of the challenge faced by security services is shown in the scale of social media use by IS.

Mr Wainwright revealed that IS is believed to have up to 50,000 different Twitter accounts tweeting up to 100,000 messages a day. Europol is now setting up a European Internet Referral Unit to identify and remove sites being used by terrorist organisations.

Mr Wainwright also says current laws are “deficient” and should be reviewed to ensure security agencies are able to monitor all areas of the online world. “There is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat. We have to make sure we reach the right balance by ensuring the fundamental principles of privacy are upheld so there’s a lot of work for legislators and tech firms to do.”

FBI Quietly Removes Recommendation To Encrypt Your Phone… As FBI Director Warns How Encryption Will Lead To Tears

Back in October, we highlighted the contradiction of FBI Director James Comey raging against encryption and demanding backdoors, while at the very same time the FBI’s own website was suggesting mobile encryption as a way to stay safe. Sometime after that post went online, all of the information on that page about staying safe magically disappeared, though thankfully I screenshotted it at the time:

If you really want, you can still see that information over at the Internet Archive or in a separate press release the FBI apparently didn’t track down and memory hole yet. Still, it’s no surprise that the FBI quietly deleted that original page recommending that you encrypt your phones “to protect the user’s personal data,” because the big boss man is going around spreading a bunch of scare stories about how we’re all going to be dead or crying if people actually encrypted their phones:

Calling the use of encrypted phones and computers a “huge problem” and an affront to the “rule of law,” Comey, painted an apocalyptic picture of the world if the communications technology isn’t banned.

“We’re drifting to a place where a whole lot of people are going to look at us with tears in their eyes,” he told the House Appropriations Committee, describing a hypothetical in which a kidnapped young girl’s phone is discovered but can’t be unlocked.

So, until recently, the FBI was actively recommending you encrypt your data to protect your safety — and yet, today it’s “an affront to the rule of law.” Is this guy serious?

More directly, this should raise serious questions about what Comey thinks his role is at the FBI (or the FBI’s role is for the country)? Is it to keep Americans safe — or is it to undermine their privacy and security just so it can spy on everyone?

Not surprisingly, Comey pulls out the trifecta of FUD in trying to explain why it needs to spy on everyone: pedophiles, kidnappers and drug dealers:

“Tech execs say privacy should be the paramount virtue,” Comey continued, “When I hear that I close my eyes and say try to image what the world looks like where pedophiles can’t be seen, kidnapper can’t be seen, drug dealers can’t be seen.”

Except we know exactly what that looks like — because that’s the world we’ve basically alwayslived with. And yet, law enforcement folks like the FBI and various police departments were able to use basic detective work to track down criminals.

If you want to understand just how ridiculous Comey’s arguments are, simply replace his desire for unencrypted devices with video cameras in every corner of your home that stream directly into the FBI. Same thing. Would that make it easier for the FBI to solve some crimes? Undoubtedly. Would it be a massive violation of privacy and put many more people at risk? Absolutely.

It’s as if Comey has absolutely no concept of a cost-benefit analysis. All “bad people” must be stopped, even if it means destroying all of our freedoms, based on what he has to say. That’s insane — and raises serious questions about his competence to lead a government agency charged with protecting the Constitution.

Multiple Digital Certificate Attacks Affect 100% of UK Businesses

All—as in 100%—of UK organizations have responded to multiple attacks on keys and certificates in the past two years.

The Ponemon Institute found that attacks are becoming more widespread as the number of keys and certificates deployed on infrastructure such as web servers, network appliances and cloud services has grown by 40% to almost 24,000 per enterprise over the past two years.

Russian cyber-criminals, for instance, recently stole digital certificates from one of the top five global banks, enabling them to steal 80 million records, while another attack allowed hackers to steal data from 4.5 million healthcare patients.

Despite the ubiquity of the attacks, a full 63% percent of organizations do not know where all keys and certificates are located or how they’re being used. But at least the attacks have led to a modicum of self-awareness: 60% of all surveyed respondents agreed that they need to do a better job at responding to vulnerabilities involving keys and certificates. And 54% noted that the trust established by keys and certificates that is necessary for online banking, shopping and government is in jeopardy.

“With the rising tide of attacks on keys and certificates, it’s important that enterprises really understand the grave financial consequences,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “We couldn’t run the world’s digital economy without the system of trust they create. [Organizations] need a wake-up call like this to realize they can no longer place blind trust in keys and certificates that are increasingly being misused by cybercriminals.”

Conducted in the United Kingdom, Australia, France, Germany, and the United States, the report highlights that over the next two years, the potential financial risk facing UK enterprises from attacks on keys and certificates is expected to reach at least £33 million.

As for security professionals specifically, they said that they fear a “Cryptoapocalypse” event the most. Coined by researchers at Black Hat 2013, a Cryptoapocalypse would dwarf Heartbleed in scope, complexity and time to remediate.

“Whether they realize it or not, every business and government relies upon cryptographic keys and digital certificates to operate,” said Kevin Bocek, vice president of security strategy and threat intelligence at report sponsor Venafi. “Without the trust established by keys and certificates, we’d be back to the Internet ‘stone age’—not knowing if a website, device or mobile application can be trusted.”

Bee behaviour mapped by tiny trackers

A tiny new tracker designed to monitor bee behaviour is being tested by ecologists at Kew Gardens in London.

It is made from off-the-shelf technology and is based on equipment used to track pallets in warehouses, said its creator Dr Mark O’Neill.

Readers, used to pick up a signal from the kit, are connected to Raspberry Pi computers, which log the readings.

The device has a reach of up to 2.5m (8.2ft). Previously used models were restricted to 1cm (0.4in).

The tracker consists of a standard RFID (radio frequency identification) chip and a specially designed aerial, which Dr O’Neill has created to be thinner and lighter than other models used to track small insects, allowing him to boost the range.

The engineer, who is technical director at the Newcastle-based tech firm Tumbling Dice, is currently trying to patent the invention.

“The first stage was to make very raw pre-production tags using components I could easily buy”, he said, “I want to make optimised aerial components which would be a lot smaller. I’ve made about 50 so far. I’ve soldered them all on my desk – it feels like surgery.”

The average “forage time” for a worker bee is around 20 minutes, suggesting they have a forage range of around 1km (0.6 miles) , Dr O’Neill explained.

The idea is to have readers dotted around a hive and flower patch in order to track the signals as the bees move around freely in the wild.

Chilled bees

The tiny trackers, which are just 8mm (0.3in) high and 4.8mm (1.9in) wide, are stuck to the bees with superglue in a process which takes five to 10 minutes. The bees are chilled first to make them more docile.

“They make a hell of a noise,” acknowledged Dr O’Neill.

He told the BBC he hoped that the trackers – which weigh less than a bee and are attached at their centre of gravity so as not to affect their flight – would remain attached for their three-month expected lifespan.

They have only been fitted to worker bees, which do not mate.

“If an animal ate one, I guess it would have a tracker in its stomach,” Dr O’Neill said.

“But the attrition rate for field worker bees is very low. Most die of old age – they are very competent, and good at getting out of the way.”

Dr Sarah Barlow, a restoration ecologist from Kew Gardens, was involved in testing the as-yet unnamed trackers.

“These tags are a big step forward in radio technology and no one has a decent medium to long range tag yet that is suitable for flying on small insects,” she said.

“This new technology will open up possibilities for scientists to track bees in the landscape.

“This piece of the puzzle, of bee behaviour, is absolutely vital if we are to understand better why our bees are struggling and how we can reverse their decline.”