Subject: General Tech | January 16, 2017 - 01:13 PM | Jeremy Hellstrom
Tagged: whatsapp, fud, facebook, encryption
By now you will have seen a headline screaming something about the security of Facebook's WhatsApp messaging service, ranging from somewhere between a backdoor purposefully inserted into the app to a complete denial of any security risk at all. The actual issue is much larger than WhatsApp and address a security issue with all applications which depend on public key encryption.
Many applications utilize public keys for their encryption, the encryption relies on keys unique to the sender and receivers devices and which use the public key to verify the authorization of a new device. If your accounts key was permanently attached to a specific piece of hardware you would need a separate account for each device you used, which would be quite onerous.
The issue is that the Open Whisper Signal protocol is configured by WhatsApp in a way which makes the data vulnerable to a man in the middle attack. If you can managed to block the transmission of a message, then take over one of the authorized devices accounts or phone numbers and trigger the generation of a new private key via a public key request to Facebook then you will be able to read messages until people realize what is going on. This is not impossible but far from easy to accomplish, and effects any similar encryption system, not just WhatsApp.
Perhaps more worrying is Facebook's ability to take advantage of this, as they can generate a new public key to read messages, if they so choose. If you are concerned about this, you can enable the Show Security Notifications setting under Settings -> Account -> Security to be notified whenever a contact's security code has changed. The Register links to several articles which delve into the technology as well as the media's reactions here, if you are interested.
"The problem – which is "endemic to public key cryptography" – was raised in April last year, and at the time WhatsApp said it wasn't a serious enough design flaw to spend time fixing."
Here is some more Tech News from around the web:
- Microsoft's Security Bulletins Will End In February @ Slashdot
- Windows 10 Gets A New Linux: openSUSE @ Slashdot
- Just give up: 123456 is still the world's most popular password @ The Register
- Drone company fails to take off, tells pre-orderers: You can have your $34m back @ The Register
- Microsoft's Surface Studio has Enticing Features @ Hardware Secrets
- McDonald's website insecurity leaves passwords open to Hamburgling @ The Inquirer
- Canary Smart Home Security Device Review @ NikKTech
Subject: General Tech | July 4, 2016 - 01:08 PM | Jeremy Hellstrom
Tagged: andriod, keymaster, qualcomm, snapdragon, encryption
The only good news about this particular decryption hack requires physical access to your phone and as you should be aware once someone has your device in their hands all bets about security are off. The vulnerability exists on ARM-compatible Snapdragon system-on-chips and the TrustZone, a secure part of the chip which runs outside of the operating system and passes information pertaining to the encryption on your phone via the Qualcomm Secure Execution Environment.
It is possible to to exploit an Android kernel security vulnerability to load your own QSEE application which can then query the TrustZone for your unencrypted blob and RSA key. From there it is simply a matter of brute forcing the phones PIN or password which then allows you access to all the encrypted data on the device. The Register explains not only the vulnerability but also how TrustZone and KeyMaster work on your devices in this article.
"Essentially, if someone seizes your Qualcomm Snapdragon-powered phone, they can potentially decrypt its file system's contents with a friendly Python script without knowing your password or PIN."
Here is some more Tech News from around the web:
- Lenovo scrambling to get a fix for BIOS vuln @ The Register
- BlackBerry will release three more Android-powered smartphones @ The Inquirer
- Transcend Wifi SD Card Is A Tiny Linux Server @ Hack a Day
- 400 million Foxit users need to catch up with patched-up reader @ The Inquirer
- Ubuntu backs calls to wind down 32-bit Linux support @ The Inquirer
It's Easier to Be Convincing than Correct
This is a difficult topic to discuss. Some perspectives assume that law enforcement have terrible, Orwellian intentions. Meanwhile, law enforcement officials, with genuinely good intentions, don't understand that the road to Hell is paved with those. Bad things are much more likely to happen when human flaws are justified away, which is easy to do when your job is preventing mass death and destruction. Human beings like to use large pools of evidence to validate assumptions, without realizing it, rather than discovering truth.
Ever notice how essays can always find sources, regardless of thesis? With increasing amounts of data, you are progressively more likely to make a convincing argument, but not necessarily a more true one. Mix in good intentions, which promotes complacency, and mistakes can happen.
But this is about Apple. Recently, the FBI demanded that Apple creates a version of iOS that can be broken into by law enforcement. They frequently use the term “back door,” while the government prefers other terminology. Really, words are words and the only thing that matters is what it describes -- and it describes a mechanism to compromise the device's security in some way.
This introduces several problems.
The common line that I hear is, “I don't care, because I have nothing to hide.” Well... that's wrong in a few ways. First, having nothing to hide is irrelevant if the person who wants access to your data assumes that you have something you want to hide, and is looking for evidence that convinces themselves that they're right. Second, you need to consider all the people who want access to this data. The FBI will not be the only one demanding a back door, or even the United States as a whole. There are a whole lot of nations that trusts individuals, including their own respective citizens, less than the United States. You can expect that each of them would request a backdoor.
You can also expect each of them, and organized criminals, wanting to break into each others'.
Lastly, we've been here before, and what it comes down to is criminalizing math. Encryption is just a mathematical process that is easy to perform, but hard to invert. It all started because it is easy to multiply two numbers together, but hard to factor them. The only method we know is dividing by every possible number that's smaller than the square root of said number. If the two numbers are prime, then you are stuck finding one number out of all those possibilities (the other prime number will be greater than the square root). In the 90s, numbers over a certain size were legally classified as weapons. That may sound ridiculous, and there would be good reason for that feeling. Either way, it changed; as a result, online banks and retailers thrived.
While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a backdoor into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.
Good intentions lead to complacency, which is where the road to (metaphorical) Hell starts.
Subject: General Tech | February 2, 2016 - 05:11 PM | Tim Verry
Tagged: file syncing, encryption, bittorrent sync, bittorrent
BitTorrent continues to support its file sharing and syncing application with the recent release of Sync 2.3.1. The 2.3.x update contains a number of bug fixes for stability, but the important news is the added support for encrypted folders and finally allowing selective file syncing on Linux systems. Additionally, the company put out a short brief on the information they collect and how they are securing your files synced by Sync which is available as a PDF.
Sync 2.3 allows Windows users to run Sync as a service and Android users can move data to and from an SD card from within the app so long as they are running at least Android 5.0 or newer. Linux users also get a bit of love with support for selective file syncing (where you can choose which specific files to download locally and which to keep on the remote peers) though it appears that BitTorrent has limited this feature to its paid Sync Pro tier which is in line with other platforms. According to BitTorrent Inc. among the performance and bug fixes, the biggest UI change is a redesigned process for adding new folders.
On the security and privacy front, BitTorrent claims that it employs several security measures to keep your data safe. First though, the company allegedly only collects benign data including the program version, add folder errors, the amount of data transferred (directly and via relay server), number of peers, and share link and tracker statistics as well as few more things you can see in the brief linked above. All the data that they collect is reportedly sent in the clear so that users can verify what they are collecting on them.
To secure your files, BitTorrent uses SSL and AES-128 encryption to transfer files. In the case of Advanced folders, it generates a X.509 certificate (each folder is given it's own certificate) using a certificate authority and then uses a certificate chain to control user access and file modification permissions as well as a mechanism to revoke access. In the case of encrypted folders, Sync generates storage and session keys with the session keys complying with perfect forwards secrecy standards such that future session keys being cracked does not compromise past sessions. When using the encrypted folders option (which is useful when using a VPS as an off-site backup or to any machine that you do not fully own and control for that matter), data from your local machines is encrypted before being sent to the remote machine using AES 128 bit encryption (I wish they had gone with at least AES-256, but it's something). The data is then sent over SSL. Thus, the data on the remote machine is never in an unencrypted state which is a good thing for having a secure off-site backup. The encrypted folder can still be used as part of the mesh to speed up syncing among your machines, as well, while remaining secure.
I think the encrypted folders are a good addition to Sync, though the encryption bit-ness could be improved (a weak VPS' processor doesn't need to decrypt the data anyway so CPU time needed for the beefier algorithm should not matter...). In past coverage users have mentioned issues when syncing folders that they encrypted themselves before adding to Sync where the data could get corrupted when the peers became confused on changes made and what to sync. Hopefully this will help avoid that though they do still need to work on fixing user chosen pre-sync encryption. I am still using Sync to backup my photos and sync documents between my laptop and desktop and it works well for that sans the storage limits imposed by One Drive (and the uncertainty of my once-promised 25GB of free storage).
What do you think of the changes, and is their security good enough?
Subject: General Tech | February 26, 2015 - 01:02 PM | Jeremy Hellstrom
Tagged: Gemalto, SIM, encryption, fud, security
In just under a week SIM card maker Gemalto claims to have done a complete security audit of their systems in 85 different countries and reports that "its office networks were compromised, the servers holding the SIM card encryption keys weren't." This is a record worthy of Guinness as most security audits take months or years to complete and the findings tend to discuss probabilities, not absolute certainties. As you might expect The Register and security experts everywhere are doubtful of the claims from a company that did not even know if was compromised less than a week ago that the UK based GCHQ and USA based NSA are unable to compromise your SIM cards encryption when they have the keys in hand. It has not been a good week for anyone who thinks about security.
"Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims."
Here is some more Tech News from around the web:
- Solidfire offers unlimited SSD wear guarantee, punts software at market @ The Register
- Google updates: Android for Work launches with BlackBerry-backed encryption @ The Inquirer
- MWC: Microsoft tipped to unveil trio of cheap Lumias, but no Snapdragon 810 flagship @ The Inquirer
- Tech ARP 2015 Mega Giveaway
Subject: General Tech | October 30, 2014 - 07:04 PM | Tim Verry
Tagged: online storage, encryption, cloud storage, bitcasa
Bitcasa recently announced that, as of November 15, 2014, the company is discontinuing its "Infinite Drive" and will no longer be offering unlimited cloud storage space. The company made its debut at the start of last year with an infinite storage product (Amazon S3 backend with custom applications and client side AES-256 convergent encryption). Since then, the company has grown to store more than 40 Petabytes of user data. Unfortunately, the unlimited storage space model was not sustainable despite heavily increased pricing several months ago.
According to Bitcasa, less than 0.5% of users stored more than 1TB while 0.1% of users used more than 10TB. The alleged lack of demand coupled with violations of the company's Acceptable Use Policy were the final nails in the infinite storage coffin.
There is a bright side to the announcement, however. Bitcasa has re-engineered the storage backend and is promising faster uploading, downloading, and streaming (over the web interface) of files. Users wishing to stick with Bitcasa will need to transfer files over to the new storage system by the November 15, 2014 deadline. After the deadline, all files that have not been transferred or downloaded will be deleted permanently.
Bitcasa has put together a FAQ that explains the situation and how it will affect each of the account tiers on their website.
Essentially, Bitcasa is shuttering the infinite storage tier completely. Users storing 10TB or less will be allowed to move to the Premium or Pro tiers. The Premium tier remains the same as the old plan at $10 per month for 1TB of storage. The Pro tier has been changed from 5TB for $49 per month to 10TB for $99 per month. Users storing over 10TB will need to reduce their stored files to fit within at most 10TB of space. Of course, users are not required to stay and are free to download their files and move to an alternative service. Finally, the free storage tier has been cut from 10GB to 5GB going forward.
Any existing accounts (so long as they within the lower storage allotments) will be grandfathered in (including pricing on paid tiers) and any"extra" storage space gathered from referrals will remain in effect.
|New Plans||Old Plans|
|Storage Tier||Storage Space||Pricing||Storage Space||
|Premium||1TB||$10/month ($99/year)||1TB||$10/month ($99/year)|
|Infinite||n/a||No longer offered||Unlimited||$99/month ($999/year)|
There are some snags in the transfer process to be aware of though. Past version history on files will not be preserved post transfer and any mirrored folders will have to be recreated. It is possible to move the mirrored folders after the transfer if you do not have access to the original PC(s), but you will have to recreate the mirrors using the applications when you want to keep them in sync again.
Also, Bitcasa notes that iTunes payments for Bitcasa storage will no longer be accepted and Facebook and Twitter logins will not be allowed (you will create new a new login during the transfer process). Finally, streaming to Plex is not currently working with the new storage system, but a fix is being worked on.
Upon receiving the email from Bitcasa yesterday, I logged in and completed the transfer. The process took about five minutes (including downloading my mirrored folders I no longer had access to on my home PC). My free account is grandfathered into the 10GB limit. When the service first came out, I tried it out for awhile and it was decent. At one point I even considered moving to the paid infinite tier, but at the new prices the amount of storage is no longer economical for personal use (>1TB). It is notable that Microsoft started offering unlimited (used to be 1TB) storage to Office 365 subscribers this week, and I wonder how long that will last and if they will run into many of the same problems Bitcasa did.
What do you think about this announcement? Will unlimited storage always be too good to be true (ie an unsustainable business model).
Subject: General Tech | July 23, 2014 - 01:08 PM | Jeremy Hellstrom
Tagged: dropbox, data privacy, encryption
Dropbox has faced many questions about the privacy of the data held on their service after modified links were shown to successfully connect to private portions of accounts as well as their ability to hand over all your content in readable form to authorities. While for many the lack of encryption is not much of a concern, businesses cannot afford to be so lax with potentially valuable client data stored on Dropbox. This use of Dropbox by businesses is far more common than you may think and may expand with the announcement of Dropbox for Business and the expanded services available for this new service.
For those with security concerns about storing unencrypted data on Dropbox it would seem that the recommendation is to use third party client side encryption software. That does mean that the new search features will not work as Dropbox will be unable to index files as they pointed out to The Inquirer and other media. Dropbox does have a decent reputation for protecting the data they store but for those intending to store proprietary data on the cloud the balance between ease of use and privacy should be considered before moving to any cloud storage provider.
"DROPBOX HAS DEFENDED its record on privacy following allegations by NSA whistleblower Edward Snowden that it is "hostile to privacy"."
Here is some more Tech News from around the web:
Subject: Storage | July 22, 2014 - 04:02 PM | Jeremy Hellstrom
Tagged: Intel, ssd, Pro 2500, enterprise, encryption, mcafee
Intel has not offered many products which take advantage of their takeover of McAfee, now known as Intel Security but today's release of the Intel SSD Pro 2500 Series changes that. This family of SSDs will work with McAfee ePolicy Orchestrator to allow the automatic implementation of hardware-based 256-bit encryption on these drives in a similar manner to what Endpoint Encryption has done in the past. Since it sits on the hardware Intel claims no impact to the speed is caused by the on the fly encryption. If you use Intel Setup and Configuration Software with vPro you can even monitor the health of deployed drives. Check out Intel's page here and the PR below.
SANTA CLARA, Calif., July 22, 2014 – Intel Corporation today announced an addition to the Intel® Solid-State Drive (SSD) Professional Family: the Intel® SSD Pro 2500 Series. This new business-class SSD delivers lower total cost of ownership, security and manageability features, and blazing-fast SSD performance demanded by today’s business users.
Intel SSD Pro 2500 Series offers IT departments peace of mind with advanced security features and capabilities designed for businesses ranging from small companies through large IT-managed enterprises. Security and remote manageability features, combined with lower annual failure rates than hard disk drives (HDDs), help to reduce the need for resource-intensive deskside visits.
Managing data security is critical for businesses and a challenge for IT leaders. Data breaches, often a result of lost or stolen PCs, can cost a business nearly $50,000 in lost productivity, replacement, data recovery and legal costs.1 To help businesses mitigate the threat of such costly breaches, the Intel Pro 2500 Series SSDs are self-encrypting drives (SED) utilizing hardware-based 256-bit encryption to protect data without a loss of performance. Additionally, the new Intel drives feature the Trusted Computing Group’s OPAL 2.0* standard and are Microsoft eDrive* capable. These policy-based controls help to prevent data breaches and support crypto erase to repurpose the drive for reuse.
“The need to protect assets, keep an eye on the bottom line and ensure employees have the best tools is a challenge for IT departments,” said Rob Crooke, Intel corporate vice president and general manager of the Non-Volatile Memory Solutions Group. “The Intel SSD Pro 2500 Series is a well-rounded solution to help balance those often competing needs. Adding the Pro 2500 Series to the Intel SSD Professional Family delivers a powerful storage solution to help businesses of all sizes meet their critical IT needs.”
“The Intel SSD Pro 2500 Series is the second-generation OPAL-based client storage solution that helps IT departments protect their users’ data and also provides valuable features to reduce operational costs,” stated Candace Worley, senior vice president and general manager, Endpoint Security, McAfee*, part of Intel Security. “The Pro 2500 Series is a perfect companion to our data protection solutions, managed by McAfee ePolicy Orchestrator*, all working in concert to provide IT departments with data security, management and control, wherever their endpoints may be.”
In an environment with Intel® vPro™ Technology, with Intel® Setup and Configuration Software and leading security software, the Pro 2500 Series drives can be managed remotely allowing IT to monitor and report drive health as well as track assets and remedy faults. This remote manageability enforces IT policies to help prevent mishaps and simultaneously provides a great user experience. Embedded and Internet of Things applications can also take advantage of the remote manageability features to help limit the number of IT professionals needed to oversee devices. To assist in protecting user data and lower the total cost of ownership, applications such as ATMs and remote digital signage can be updated, monitored and managed remotely.
“Corporations of every size are facing the growing challenge of protecting sensitive data and ensuring compliance with a litany of data protection laws and regulations,” said Bill Solms, president and CEO of Wave Systems*. “The Intel SSD Pro 2500 Series offers a sound foundation for any data security program, incorporating hardware-level encryption without impacting drive performance. Wave’s on-premise and cloud-based management software complements the Intel SSD Pro 2500 by offering remote drive provisioning, automated password recovery and secure audit logs to document that encryption was in place should a laptop become lost or stolen.”
The Intel SSD Professional Family is part of the Intel® Stable Image Platform Program, including a 15-month availability of the components and drivers for compatibility and stability across a qualified IT image. This helps minimize IT qualification and deployment times. The Intel SSD Pro 2500 Series also features five advance power modes helping to balance performance and power to enable a longer battery life and provide a better mobile experience.
The Intel SSD Pro 2500 Series will be available in both 2.5-inch and M.2 form factors and in capacities ranging from 120GB to 480GB. The Intel SSD Pro 2500 Series is backed by a 5-year limited warranty and features a world-class annualized failure rate (AFR) well below 1 percent. The AFRs of other SSDs and HDDs can reach as high as 5 percent or more in mobile environments.
Subject: General Tech | July 22, 2013 - 02:28 PM | Jeremy Hellstrom
Tagged: SIM card, security, encryption, black hat 2013
The revelation that SIM cards rely on outdated encryption method make it surprising that an exploit has not been revealed long before now, but there is one that has been discovered and will be featured at this years Black Hat security conference. The proof of concept used was to send an improperly signed binary SMS to a device over the air which returns an error that contains the entire cryptographic signature for the SIM that received the signal, from there it is rather simple to crack the 56bit DES with modern hardware. Once you have the key you can send out a variety of commands to the device up to an including an OS update with certain customizations. Follow the links from The Inquirer for more information.
"A SIM CARD EXPLOIT that could leave millions of mobile phones vulnerable to hacking has been uncovered by German security firm Security Research Labs (SRL)."
Here is some more Tech News from around the web:
- AMD is 'transforming', will be profitable this quarter, says CEO Read @ The Register
- Samsung set to steal FBI phone deal from rival Blackberry @ The Inquirer
- LG Pocket Photo printer @ The Inquirer
- Mac malware uses right to left character exploit @ Hack a Day
- Netgear ProSafe XS708E review: 10 Gbit switch @ Hardware.info
- Intel Linux Driver Performance Still Slower Than Windows 7 @ Phoronix
- Fifteen Years After Autism Panic, a Plague of Measles Erupts @ Slashdot
- Win An Anidees AI-6B Mid-Tower Computer Case @ eTeknix
Subject: General Tech | July 8, 2013 - 02:09 PM | Jeremy Hellstrom
Tagged: security, encryption, addonics, CipherUSB
The interface is pretty ugly but the Addonics CipherUSB is incredibly easy to use and is effective at folder level and disk level encryption. With the dongle on your machine you can encrypt internal and external disks which can then only be accessed when a similarly set up dongle and a password if you selected the option to require one. It uses AES256 ECB or CBC encryption, the standard when it comes to encryption and setup and usage are incredibly easy though there are a few minor flaws on the CipherUSB. Head over to Techgage for the review and a great overview of encryption in general.
"As important as data encryption can be for the home user, it’s even more imperative in the enterprise. The problem? The most effective measures are usually cast aside in lieu of something a little easier to deal with. With the CipherUSB, Addonics hopes to bring “simple” and “most effective” together as one. Does it succeed?"
Here is some more Tech News from around the web:
- Nvidia sees limited shipments of Tegra 4 @ Linux.com
- Microsoft offloads heap of critical fixes in 'ugly' Patch Tuesday @ The Register
- Intel Haswell Linux Virtualization: KVM vs. Xen vs. VirtualBox @ Phoronix
- Intel/NVIDIA/AMD Compete On Linux GPU Driver Performance @ Phoronix
- 24,000 Nintendo Site Accounts Compromised @ Slashdot
- Magellan SmartGPS RM5295T-LMB Review @ TechReviewSource
- Manual transmission for gamers @ Hack a Day
- Nintendo admits to Club hack @ The Inquirer
- Iain M. Banks Gets Asteroid Named After Him @ Slashdot
- BeagleBone Black Part 2: Linux Performance Tests @ Linux.com