Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘security’

pp1

200 Cyber Activists Urge World Leaders to Reject Encryption ‘Back Doors’

January 11, 2016

Nearly 200 Internet and digital rights experts, companies and organizations are collectively calling on the Obama administration and other world leaders to oppose any efforts to create “back doors” to encryption.

“We urge you to protect the security of your citizens, your economy, and your government by supporting the development and use of secure communications tools and technologies, rejecting policies that would prevent or undermine the use of strong encryption, and urging other leaders to do the same,” they said in an open letter made public on Monday.

“Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access.”

The letter was organized by Access Now, a digital rights group with offices in the U.S. and several other countries. Signees are from more than 40 countries and include: former CIA analyst John Kiriakou; David Kaye, U.N. Special Rapporteur for Freedom of Opinion and Expression; Iceland parliament member Birgitta Jónsdóttir; the American Civil Liberties Union; Amnesty International; and Human Rights Watch.

Nathan White, senior legislative manager at Access Now, said a copy of the letter has been delivered to Obama administration officials. While White House officials have said they are not seeking a “back door” to encrypted communications, they haven’t issued a clear policy supporting strong encryption, White said. That has led other government agencies and foreign governments — the U.K., for instance — to feel free to press ahead with legislation that would weaken encryption, he said.

“The White House needs to clarify what its policy is, because right now the lack of a policy is indicating others are able to take the lead,” White said.

On Friday, top administration security officials met with the leaders of major tech companies including Apple, Google and Facebook to discuss ways to prevent terrorists from using encryption, social media and other technologies to communicate.

“Given the way that technology works these days, there surely are ways that we can disrupt paths to radicalization, to identify recruitment patterns, and to provide metrics that allow us to measure the success of our counter-radicalization efforts,” White House press secretary Josh Earnest said ahead of the meeting

Tags: , , ,

88e3788f-55d7-4420-adbb-3fde78baefb7-1020x612

Could a simple mistake be how the NSA was able to crack so much encryption?

October 16, 2015

Most encryption software does the high-tech equivalent of reusing passwords, and that could be how the US national security agency decrypted communications

Edward Snowden revealed the NSA's widespread surveillance regime in 2013. Now, computer scientists might finally have uncovered how the agency was able to read encrypted communications.
 Edward Snowden revealed the NSA’s widespread surveillance regime in 2013. Now, computer scientists might finally have uncovered how the agency was able to read encrypted communications. Photograph: BBC Panorama/PA

Computer scientists J Alex Halderman and Nadia Heninger argue that a common mistake made with a regularly used encryption protocol leaves much encrypted traffic open to eavesdropping from a well-resourced and determined attacker such as the US national security agency.

The information about the NSA leaked by Edward Snowden in the summer of 2013 revealed that the NSA broke one sort of encrypted communication, virtual private networks (VPN), by intercepting connections and passing some data to the agency’s supercomputers, which would then return the key shortly after. Until now, it was not known what those supercomputers might be doing, or how they could be returning a valid key so quickly, when attacking VPN head-on should take centuries, even with the fastest computers.

The researchers say the flaw exists in the way much encryption software applies an algorithm called Diffie-Hellman key exchange, which lets two parties efficiently communicate through encrypted channels.

A form of public key cryptography, Diffie-Hellman lets users communicate by swapping “keys” and running them through an algorithm which results in a secret key that both users know, but no-one else can guess. All the future communications between the pair are then encrypted using that secret key, and would take hundreds or thousands of years to decrypt directly.

But the researchers say an attacker may not need to target it directly. Instead, the flaw lies in the exchange at the start of the process. Each person generates a public key – which they tell to their interlocutor – and a private key, which they keep secret. But they also generate a common public key, a (very) large prime number which is agreed upon at the start of the process.

Since those prime numbers are public anyway, and since it is computationally expensive to generate new ones, many encryption systems reuse them to save effort. In fact, the researchers note, one single prime is used to encrypt two-thirds of all VPNs and a quarter of SSH servers globally, two major security protocols used by a number of businesses. A second is used to encrypt “nearly 20% of the top million HTTPS websites”.

The problem is that, while there’s no need to keep the chosen prime number secret, once a given proportion of conversations are using it as the basis of their encryption, it becomes an appealing target. And it turns out that, with enough money and time, those commonly used primes can become a weak point through which encrypted communications can be attacked.

In their paper, the two researchers, along with a further 12 co-authors, describe their process: a single, extremely computationally intensive “pre-calculation” which “cracks” the chosen prime, letting them break communications encrypted using it in a matter of minutes.

How intensive? For “shorter” primes (512 bits long, about 150 decimal digits), the precalcuation takes around a week – crippling enough that, after it was disclosed with the catchy name of “Logjam”, major browsers were changed to reject shorter primes in their entirety. But even for the gold standard of the protocol, using a 1024-bit prime, a precalculation is possible, for a price.

The researchers write that “it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year”.

“Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation.”

There are ways around the problem. Simply using a unique common prime for each connection, or even for each application, would likely reduce the reward for the year-long computation time so that it was uneconomical to do so. Similarly, switching to a newer cryptography standard (“elliptic curve cryptography”, which uses the properties of a particular type of algebraic curve instead of large prime numbers to encrypt connections) would render the attack ineffective.

But that’s unlikely to happen fast. Some occurrences of Diffie-Hellman literally hard-code the prime in, making it difficult to change overnight. As a result, “it will be many years before the problems go away, even given existing security recommendations and our new findings”.

“In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.”

Tags: , , , , , ,

avg-privacy-1-800x420

AVG can sell your browsing and search history to advertisers

September 23, 2015

Security firm AVG can sell search and browser history data to advertisers in order to “make money” from its free antivirus software, a change to its privacy policy has confirmed.

The updated policy explained that AVG was allowed to collect “non-personal data”, which could then be sold to third parties. The new privacy policy comes into effect on 15 October, but AVG explained that the ability to collect search history data had also been included in previous privacy policies, albeit with different wording.

AVG’s potential ability to collect and sell browser and search history data placed the company “squarely into the category of spyware”, according to Alexander Hanff security expert and chief executive of Think Privacy.

“Antivirus software runs on our devices with elevated privileges so it can detect and block malware, adware, spyware and other threats,” he told WIRED. “It is utterly unethical to [the] highest degree and a complete and total abuse of the trust we give our security software.” Hanff urged people using AVG’s free antivirus to “immediately uninstall the product and find an alternative”.

Previous versions of AVG’s privacy policy stated it could collect data on “the words you search”, but didn’t make it clear that browser history data could also be collected and sold to third parties. In a statement AVG said it had updated its privacy policy to be more transparent about how it could collect and use customer data.

An AVG spokesperson told WIRED that in order to continue offering free security software the company may in the future “employ a variety of means, including subscription, ads and data models.”

Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide,” the spokesperson added. “While AVG has not utilised data models to date, we may, in the future, provided that it is anonymous, non-personal data, and we are confident that our users have sufficient information and control to make an informed choice.”

According to Nigel Hawthorn, European spokesperson for cloud security firm Skyhigh Networks, AVG had stayed “just on the non-creepy side of creepy”. “If something is free you’ve got to assume that you’re the product,” he said. “The difficulty with this is whether anyone notices, reads it, checks it and understands the implications”.

AVG is the third most popular antivirus product in the world according to market analysis from software firm Opswat. The company has a 8.6 percent share of the global market, behind Microsoft on 19.4 percent and Avast on 21.4 percent. In itsprivacy policy, Avast, which also provides free security software, explains that it is able to collect certain non-personal information and sell it to advertisers. The company does not specify that this includes browser and search history data.

Orla Lynskey, a data protection and IT law expert from London School of Economics, welcomed the change in language but said users would be justifiably concerned by the implications. “Its privacy policy is written in clear and simple language,” she told WIRED, adding that users might expect an antivirus provider to be “more respectful” of their privacy and data security.

“It appears that AVG is adopting a generous interpretation of the data protection rules in order to justify its data use policy,” Lynskey argued. “Although some of the data they classify as ‘non-personal’ might not identify individuals directly, they may be indirectly identifiable based on that data.”

An AVG spokesperson explained that any non-personal data it collected and potentially sold to advertisers would be cleaned and anonymised, making it impossible to link it back to individual users. “Many companies do this type of collection every day and do not tell their users,” the spokesperson said.

Tags: , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
telegram-3m
Your Privacy Is Our Business
April 30, 2019

Let us reassure you: You’re worried only because you don’t understand anything about anything. ...

Read more
pr
Coffee with Privacy Pros: Three Constants of Privacy
April 23, 2019

A look behind the career and privacy theology of the law-lovin’ CPO of Uber, Ruby Zefo Jared Cose...

Read more
privacy-coins-and-bitcoin-dominance-guide
We’ve Stopped Talking And Searching About Privacy
April 15, 2019

Kalev Leetaru Contributor AI & Big Data I write about the broad intersection of data and soci...

Read more
private
Rebiton Allows You to Buy Bitcoin and Keep Your Privacy
April 8, 2019

by Kai Sedgwick Purchasing bitcoin ought to be quick and easy, but over the years, encroaching KY...

Read more
20190323_fbd001
Big tech faces competition and privacy concerns in Brussels
March 25, 2019

And the sector may be the better for it Print edition | Briefing Mar 23rd 2019 | PARIS Around 19 ...

Read more