Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘security’

88e3788f-55d7-4420-adbb-3fde78baefb7-1020x612

Could a simple mistake be how the NSA was able to crack so much encryption?

October 16, 2015

Most encryption software does the high-tech equivalent of reusing passwords, and that could be how the US national security agency decrypted communications

Edward Snowden revealed the NSA's widespread surveillance regime in 2013. Now, computer scientists might finally have uncovered how the agency was able to read encrypted communications.
 Edward Snowden revealed the NSA’s widespread surveillance regime in 2013. Now, computer scientists might finally have uncovered how the agency was able to read encrypted communications. Photograph: BBC Panorama/PA

Computer scientists J Alex Halderman and Nadia Heninger argue that a common mistake made with a regularly used encryption protocol leaves much encrypted traffic open to eavesdropping from a well-resourced and determined attacker such as the US national security agency.

The information about the NSA leaked by Edward Snowden in the summer of 2013 revealed that the NSA broke one sort of encrypted communication, virtual private networks (VPN), by intercepting connections and passing some data to the agency’s supercomputers, which would then return the key shortly after. Until now, it was not known what those supercomputers might be doing, or how they could be returning a valid key so quickly, when attacking VPN head-on should take centuries, even with the fastest computers.

The researchers say the flaw exists in the way much encryption software applies an algorithm called Diffie-Hellman key exchange, which lets two parties efficiently communicate through encrypted channels.

A form of public key cryptography, Diffie-Hellman lets users communicate by swapping “keys” and running them through an algorithm which results in a secret key that both users know, but no-one else can guess. All the future communications between the pair are then encrypted using that secret key, and would take hundreds or thousands of years to decrypt directly.

But the researchers say an attacker may not need to target it directly. Instead, the flaw lies in the exchange at the start of the process. Each person generates a public key – which they tell to their interlocutor – and a private key, which they keep secret. But they also generate a common public key, a (very) large prime number which is agreed upon at the start of the process.

Since those prime numbers are public anyway, and since it is computationally expensive to generate new ones, many encryption systems reuse them to save effort. In fact, the researchers note, one single prime is used to encrypt two-thirds of all VPNs and a quarter of SSH servers globally, two major security protocols used by a number of businesses. A second is used to encrypt “nearly 20% of the top million HTTPS websites”.

The problem is that, while there’s no need to keep the chosen prime number secret, once a given proportion of conversations are using it as the basis of their encryption, it becomes an appealing target. And it turns out that, with enough money and time, those commonly used primes can become a weak point through which encrypted communications can be attacked.

In their paper, the two researchers, along with a further 12 co-authors, describe their process: a single, extremely computationally intensive “pre-calculation” which “cracks” the chosen prime, letting them break communications encrypted using it in a matter of minutes.

How intensive? For “shorter” primes (512 bits long, about 150 decimal digits), the precalcuation takes around a week – crippling enough that, after it was disclosed with the catchy name of “Logjam”, major browsers were changed to reject shorter primes in their entirety. But even for the gold standard of the protocol, using a 1024-bit prime, a precalculation is possible, for a price.

The researchers write that “it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year”.

“Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation.”

There are ways around the problem. Simply using a unique common prime for each connection, or even for each application, would likely reduce the reward for the year-long computation time so that it was uneconomical to do so. Similarly, switching to a newer cryptography standard (“elliptic curve cryptography”, which uses the properties of a particular type of algebraic curve instead of large prime numbers to encrypt connections) would render the attack ineffective.

But that’s unlikely to happen fast. Some occurrences of Diffie-Hellman literally hard-code the prime in, making it difficult to change overnight. As a result, “it will be many years before the problems go away, even given existing security recommendations and our new findings”.

“In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.”

Tags: , , , , , ,

avg-privacy-1-800x420

AVG can sell your browsing and search history to advertisers

September 23, 2015

Security firm AVG can sell search and browser history data to advertisers in order to “make money” from its free antivirus software, a change to its privacy policy has confirmed.

The updated policy explained that AVG was allowed to collect “non-personal data”, which could then be sold to third parties. The new privacy policy comes into effect on 15 October, but AVG explained that the ability to collect search history data had also been included in previous privacy policies, albeit with different wording.

AVG’s potential ability to collect and sell browser and search history data placed the company “squarely into the category of spyware”, according to Alexander Hanff security expert and chief executive of Think Privacy.

“Antivirus software runs on our devices with elevated privileges so it can detect and block malware, adware, spyware and other threats,” he told WIRED. “It is utterly unethical to [the] highest degree and a complete and total abuse of the trust we give our security software.” Hanff urged people using AVG’s free antivirus to “immediately uninstall the product and find an alternative”.

Previous versions of AVG’s privacy policy stated it could collect data on “the words you search”, but didn’t make it clear that browser history data could also be collected and sold to third parties. In a statement AVG said it had updated its privacy policy to be more transparent about how it could collect and use customer data.

An AVG spokesperson told WIRED that in order to continue offering free security software the company may in the future “employ a variety of means, including subscription, ads and data models.”

Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide,” the spokesperson added. “While AVG has not utilised data models to date, we may, in the future, provided that it is anonymous, non-personal data, and we are confident that our users have sufficient information and control to make an informed choice.”

According to Nigel Hawthorn, European spokesperson for cloud security firm Skyhigh Networks, AVG had stayed “just on the non-creepy side of creepy”. “If something is free you’ve got to assume that you’re the product,” he said. “The difficulty with this is whether anyone notices, reads it, checks it and understands the implications”.

AVG is the third most popular antivirus product in the world according to market analysis from software firm Opswat. The company has a 8.6 percent share of the global market, behind Microsoft on 19.4 percent and Avast on 21.4 percent. In itsprivacy policy, Avast, which also provides free security software, explains that it is able to collect certain non-personal information and sell it to advertisers. The company does not specify that this includes browser and search history data.

Orla Lynskey, a data protection and IT law expert from London School of Economics, welcomed the change in language but said users would be justifiably concerned by the implications. “Its privacy policy is written in clear and simple language,” she told WIRED, adding that users might expect an antivirus provider to be “more respectful” of their privacy and data security.

“It appears that AVG is adopting a generous interpretation of the data protection rules in order to justify its data use policy,” Lynskey argued. “Although some of the data they classify as ‘non-personal’ might not identify individuals directly, they may be indirectly identifiable based on that data.”

An AVG spokesperson explained that any non-personal data it collected and potentially sold to advertisers would be cleaned and anonymised, making it impossible to link it back to individual users. “Many companies do this type of collection every day and do not tell their users,” the spokesperson said.

Tags: , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
ph
Chinese deepfake app Zao sparks privacy row after going viral
September 3, 2019

Critics say face-swap app could spread misinformation on a massive scale A Chinese app that lets ...

Read more
1463600977631262
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
4000
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
venmo_pub_priv
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more
privacy-coins-and-bitcoin-dominance-guide
9 Important Privacy Settings for Windows 10
June 3, 2019

Matt Powell On Jun 3, 2019 At first glance, the Digital Age may seem like a wonderful thing. And ...

Read more