Tag Archives: encryption

Apple Advances User Security With Powerful New Data Protections



Apple introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.

With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.

As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market: from the security built directly into our customer chips with best-in-class device encryption and data protections, to features like Lockdown Mode, which offer an extreme, optional level of security for users such as journalists, human rights activists, and diplomats. Apple is committed to strengthening both device and cloud security, and adding new protections over time.

The Wall Street Journal reported that Apple is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.

According to The Wall Street Journal, the expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.

The Wall Street Journal also reported that the FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime, and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said.

BuzzFeed News reported that Apple’s Advanced Data Protection is significant because switching it on will only store your key locally on your device and not on Apple’s servers. This will not only keep your backup safe in case a hacker breaches Apple’s data centers, but also prevent Apple from being able to turn over iCloud backups to law enforcement agencies and governments in response to valid legal requests, something the the company has done thousands of times so far, according to its own transparency report.

It sounds to me like this change in policy is good for consumers, because it not only protects their data from hackers, but also makes it impossible for law enforcement agencies to demand that Apple turn over iCloud information to them. Apple won’t have any way to access that information because it won’t have the key.


Shhh! It’s a Secret!



Shhh!The past few weeks have seen most of the tech industry line up against law enforcement and intelligence agencies over the matter of encryption and privacy. I particularly liked Google’s recent conversion to privacy as it wasn’t that long ago that Eric Schmidt, Google CEO, said that, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

Moving on, there’s been a great deal of emphasis on the privacy aspect, but few have noted that encryption is mainly about secrecy, and that privacy and secrecy are not the same thing. If you do think that privacy and secrecy are the same thing, consider this, “It’s no secret that you go to the restroom, but it’s something you do in private.” I can’t claim credit for this – Bruce Schneier was discussing this over ten years ago and I thoroughly recommend you read some of his recent posts on the matters too.

You might also like to think of it this way; a private home v. secret hide-out. The former is in plain sight but restricted to the owner and his guests, whereas the latter is hidden and known only to a select few.

With a better understanding of the difference between privacy and security, a more reasoned debate can take place, which needs to be agnostic of the technology, to decide the rights of the individuals and the responsibilities of law enforcement.

Ask yourself some questions, “Should what person X does (on their phone) be private?” and “Should what person X does (on their phone) be secret?”. Remember, person X might be you, your family, your friends, your colleagues; person X might be suspects, criminals, murderers, terrorists, paedophiles; person X might be freedom fighters, democracy activitists, oppressed women, abused spouses, LGBT members. You get the picture, person X might be someone you approve of, or they might be someone you don’t like.

The easy answer is to say that person X should have privacy but not secrecy. Does this guard against wholesale monitoring of communication by intelligence agencies? Snowden has shown that this happened and I think most people would see this as an overreach of their authority with no legal oversight. But once person X has come to the attention of the authorities, does that strip away any right to privacy? What level of suspicion is needed, what evidence is required, what is the process of law? None of these have easy answers.

Undoubtedly this is a complex affair with hyperbole, thin-end-of-wedge-ism, and freedom protestors in dictatorships by the bucket load. For certain, we need to move this away from the technology and into human, societal and legal rights. Nothing is black and white, but this is about the future and the world we want to live in. Personally, I firmly believe in privacy, but I’m not so sure about secrecy. I use encryption on my phone as reassurance that should I lose my phone, important data won’t be misused by the finder. Generally I feel that wrong-doers, alleged or otherwise, shouldn’t have secrets, but I’m always concerned about the abuse of power. As always, “Who watches the watchers?”

(The other curious thing to consider is regarding dead people. Generally, they don’t have the same legal rights as living people. What would this mean?)


Encryption with Pencil and Paper



1984Given that George Orwell was English, one might think the British would be all too aware of the dangers of a police state. Despite being one of the most surveilled countries in the world with one security camera for every eleven people, politicians in the UK have put forward plans to record the online activities of people in the UK and force companies like Google and Apple to break the encryption on gadgets and apps. It’s clear from both Snowden’s revelations and other sources that the UK’s security services have been routinely collecting large quantities of phone data with little legislative oversight.

As expected, the powers-that-be trot out the usual scaremongering tactics from terrorists to paedophiles, and while politicians aren’t known for their intelligence, the current proposals around encryption seem particularly stupid and at odds with experts in the fields of security and mathematics.

Encryption isn’t always that easy to understand, so this video shows a very simple but secure method for encrypting and decrypting messages using nothing more than paper and pencil. The process is a bit laborious but it illustrates how easy it is to be secure even without a computer and that any attempt to put a back door into digital encryption will only compromise the integrity of the internet for everyone.

The BBC’s “In Our Time” radio programme tackles “P v NP” this week and part of the discourse involves prime numbers and their role in encryption. It’s available as a podcast so it’s recommended listening too.

Be seeing you!


SIM Card Security Flaw Exposing 750 Million Cell Phones



SIM Card
SIM Card

Outdated encryption is to blame for a new risk on your cellular device. According to a report by SRLabs and research which will be presented at BlackHat on July 31st, the Subscriber Identity Module (SIM) card can be hacked in a few ways, including through SMS messages.

According to SRLabs, SIM cards use 56-bit DES encryption – a technology created in the 70s. Using what is called FPGA clusters, a SIM can be crackable. SRLabs is looking to make aware these issues, then recommend a better SIM card technology, SMS firewall and SMS filtering so simple hacking techniques cannot access SIM card data.

It is reported that over 750 million SIM cards are vulnerable to this hack. That is 1 in 8 SIM cards, according to Karsten Nohl of SRLabs. An improperly encrypted SMS message – along with use of a custom Java program – can open the SIM to the malware. A hacker can do anything from change your voicemail to access your personal information on the SIM card.

In some phones, most information is stored on the phone and not the SIM. In some phones, SIM data can also include bank information, passwords to websites and programs and more. However, as we move to mobile and wearable devices, more SIM cards will be used to connect people to cellular networks.

 

 

 


Rocstor Encrypted External Hard Drives



Rocstor LogoRocstor specialise in data storage and secure encryption solutions: that’s encrypted external hard drives to you and me, but it’s an increasingly important market. Andy and Scott talk to Anthony Rink from Rocstor about how their products can keep your data safe.

Rocstor offers a range of external data storage products with real-time encryption built-in as standard. The encrypted drives meet FIPS Level 2, meaning that it’s hardware-encrypted (not software) and that any tampering of the drive to get at the crypto keys is obviously apparent. To suit different circumstances, some models use tokens, others PINs and some use both with ruggedised and waterproof units also available. Depending on features, $250-$300 gets you 1 TB of secure external storage.

Interview by Andy McCaskey of SDR News and Scott Ertz of F5 Live: Refreshing Technology for the TechPodcast Network.

Support my CES 2024 Sponsor:
$11.99 – For a New Domain Name cjcfs3geek
$6.99 a month Economy Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1h
$12.99 a month Managed WordPress Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1w
Support the show by becoming a Geek News Central Insider

 


Nothing to Hide, Nothing to Fear?



Interception of Communications Commissioner“If you’ve nothing to hide then you’ve nothing to fear” is often trotted out in the debate around privacy and secrecy. Superficially it seems reasonable but even with a modicum of critical thinking, the adage becomes trite and flawed. However, even if you did believe that “nothing to hide, nothing to fear” was reasonable, then the latest report from the British 2011 Annual Report of the Interception of Communications Commissioner (.pdf) ought to give food for thought.

The report covers the Regulation of Investigatory Powers Act (RIPA) which includes the postal service, telephony and electronic forms of communication, and can be carried out for both law enforcement and national security purposes. There are two distinct areas, the first being the interception of communications and the second being the acquisition of communications data. Simplistically, the first area is about directly listening in on a communication and the second is about who, when and where a communication took place.

In 2011, the total number of lawful interception warrants for the UK was 2911, and this all seems quite reasonable, given the population of the UK (60-odd million). However, in amongst the successful security operations, we also find that the security and associated agencies made 42 mistakes (1.4%), usually through typographic errors. In all instances, the error was discovered before the intercept took place or else all the material associated with intercept was destroyed.

Communication data requests cover information about communications, mainly subscriber data, service use data and traffic data, rather than the content of the communication itself. There were 494 078 communication data requests in 2011, an 11% decrease on the previous year. As you might guess, there were a few errors there too, with 895 mistakes being reported. Although this represents an error rate of only 0.18%, I’m sure it will be of little comfort to the two wholly innocent individuals who were arrested by the police because of these mistakes. Again typographic errors in the transcriptions of phone numbers or IP addresses were largely to blame but of additional concern was that nearly 100 of the errors were identified by auditors and weren’t recognised at the time of the requests.

If you think that because you’ve nothing to hide then you’ve nothing to fear, think again. You’ve everything to fear from the transposed digit, the wrong post code look-up and the minimum-wage flunky copying and pasting from the wrong records.

Probably not what you were worried about at all.


Rocstor AES 256-bit Enctypted Hard Drive



Rocstor has unveiled a new portable external hard drive that practically guarantees that your data won’t be stolen.  The hard drive, which comes in capacities up to 1 TB, has a slot for a smart card.  Enter the card, punch in your code (which you choose), and you unlock the drive and all of the data you have stored on it.  The drives are FIP certified and ship with multiple cards.  For users that need additional cards, they can be purchased blank and inserted into a unit to be programmed to work with it.  PIN Numbers can be changed an unlimited number of times as well.

These hard drives are probably not for average consumers, but more for business and government.  They are designed to protect highly-sensitive data and eliminate those stories that are always in the news these days about stolen laptops filled with account and credit card information.  The drives retail in the $400-600 range and are available now from Rocstor.

Interview by Todd Cochrane of Geek News Central for the TechPodcast Network.

Support my CES 2024 Sponsor:
$11.99 – For a New Domain Name cjcfs3geek
$6.99 a month Economy Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1h
$12.99 a month Managed WordPress Hosting (Free domain, professional email, and SSL certificate for the 1st year.) Promo Code: cjcgeek1w
Support the show by becoming a Geek News Central Insider