New Chip Could Bring Highest Level of Encryption to Any Mobile Device

Random number generators are crucial to the encryption that protects our privacy and security...
For the first time, engineers have developed a fast random number generator based on a quantum mechanical process that could deliver the world’s most secure encryption keys in a package tiny enough to use in a mobile device.

In The Optical Society's journal for high impact research, Optica, the researchers report on their fully integrated device for random number generation. The new work represents a key advancement... delivering the highest quality numbers and thus the highest level of security — into computers, tablets and mobile phones.

“We’ve managed to put quantum-based technology that has been used in high profile science experiments into a package that might allow it to be used commercially,” said the paper’s first author, Carlos Abellan, a doctoral student at ICFO-The Institute of Photonic Sciences, a member of the Barcelona Institute of Science and Technology, Spain. “This is likely just one example of quantum technologies that will soon be available for use in real commercial products. It is a big step forward as far as integration is concerned.” more

IT Security Alert - Got Juniper Equipment? Better get the patch.

Juniper Networks patched a crypto bug tied to its public key infrastructure that could have allowed hackers to access the company’s routers, switches and security devices and eavesdrop on sensitive communications. The flaw was tied to Juniper products and platforms running Junos, the Juniper Network Operating System.

The bug (CVE-2016-1280) was reported and patched by Juniper on Wednesday, with public disclosure Friday. Juniper also posted its own information on the security vulnerability, which was found internally.

...The vulnerability allowed attackers to create specially crafted self-signed certificates that can bypass certificate validation within Juniper hardware running the Junos OS. If exploited, the vulnerability could have allowed an attacker in a man-in-the-middle position on the victim’s network to read supposedly secure communications. more

Information Security and Cryptography Seminar - Zurich, Switzerland

Time to make your travel plans...

As a friendly reminder, we are pleased to announce our seminar in Information Security and Cryptography. A full description of the seminar, including a detailed listing of topics covered, is available at www.infsec.ch.

INFORMATION SECURITY AND CRYPTOGRAPHY, FUNDAMENTALS AND APPLICATIONS (June 13-15, 2016)

This seminar provides an in-depth coverage of Information Security and Cryptography. Concepts are explained in a way understandable to a wide audience, as well as mathematical, algorithmic, protocol-specific, and system-oriented aspects.

The topics covered include cryptography and its foundations, system and network security, PKIs and key management, authentication and access control, privacy and data protection, and advanced topics in cryptography.

The seminar takes place in Zurich, Switzerland. The lectures and all course material are in English.

With kind regards,
Ueli Maurer and David Basin
Advanced Technology Group

Quantum Cryptography Breakthrough - FutureWatch: Ultra-Secure Communications

Researchers at the University of Cambridge and Toshiba's European research branch have found a way to speed up the rate at which data can be securely transmitted using quantum cryptography. It's a development that could pave the way to faster, ultra-secure communications that are impossible to spy on.

Many of the encryption methods that keep our online data safe rely on a digital key which is very hard for computers to crack – for instance, requiring the identification of two very large prime numbers, which standard computers are very poor at. But if a powerful quantum computer were to be built, it could crack these types of code with ease and jeopardize the safety of our digital communications.

The only encryption method that has been proven to be completely secure if applied correctly – quantum computers or not – is the so-called "one-time pad." Here's how it works: first, a secret digital key is created consisting of a completely random sequence of bits. The key is then securely sent to the receiver, and kept private. Now, the sender can encrypt his message by adding the message's bits to the random bits of the key. Under these conditions, the code is deemed truly uncrackable. more

Have something to hide? Here’s how to make it disappear in Windows...

Perhaps you share a computer, and want to keep some documents under wraps. Maybe there’s a file you want to keep on your computer, but don’t want to see every day. Or maybe, just maybe, you’re worried about keeping a particular file from prying eyes.

If you want to hide something around your house, you’ve got two options. First off, you can hide it somewhere insecure — like under the rug — and hope that no one thinks to look there. Or, secondly, you can lock it up in a safe where people can’t get in without some serious effort. The same is true for your files. You can make them harder to find with obscurity, or you can protect them with encryption. Let’s go over some tips both methods, starting with how to hide your files. more

FutureWatch - Keep Your Eye on IoT - The Encryption Debate is a Distraction

...products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and in many cases reconstruct communications and meetings. more

...from "Don’t Panic: Making Progress on the ‘Going Dark’ Debate"
The audio and video sensors on IoT devices will open up numerous avenues for government actors to demand access to real-time and recorded communications.

A ten-year-old case involving an in-automobile concierge system provides an early indication of how this might play out. The system enables the company to remotely monitor and respond to a car’s occupants through a variety of sensors and a cellular connection. At the touch of a button, a driver can speak to a representative who can provide directions or diagnose problems with the car. During the course of an investigation, the FBI sought to use the microphone in a car equipped with such a system to capture conversations taking place in the car’s cabin between two alleged senior members of organized crime.

In 2001, a federal court in Nevada issued ex parte orders that required the company to assist the FBI with the intercept. The company appealed, and though the Ninth Circuit disallowed the interception on other grounds, it left open the possibility of using in-car communication devices for surveillance provided the systems’ safety features are not disabled in the process.

Such assistance might today be demanded from any company capable of recording conversations or other activity at a distance, whether through one’s own smartphone, an Amazon Echo, a baby monitor, an Internet-enabled security camera, or a futuristic “Elf on a Shelf” laden with networked audio and image sensors. more

BlackBerry SecuSUITE - Voice Encryption for iOS, Android & BlackBerry

BlackBerry Limited and its subsidiary Secusmart has today announced the release of SecuSUITE for Enterprise, 

a new voice encryption solution that protects mobile calls on the Android, iOS and BlackBerry operating systems.

By using the VoIP, software-based, cloud-hosted solution, employees will be able to conduct secure conversations worldwide and be able to send encrypted text messages of any length.

Voice and text messages are encrypted with 128-bit Advanced Encryption Standard (AES) on the individual device level, meaning messages are stored on the receiver’s smartphone and only sent to the recipient when they are available to receive them. more

Visit Switzerland in June - Information Security and Cryptography Seminar

INFORMATION SECURITY AND CRYPTOGRAPHY, FUNDAMENTALS AND APPLICATIONS (June 13-15, 2016)

Lecturers: Prof. David Basin and Prof. Ueli Maurer, ETH Zurich

The topics covered include cryptography and its foundations, system and network security, PKIs and key management, authentication and access control, privacy and data protection, and advanced topics in cryptography. The seminar takes place in Zurich, Switzerland. The lectures and all course material are in English.

This seminar provides an in-depth coverage of Information Security and Cryptography. Concepts are explained in a way understandable to a wide audience, as well as mathematical, algorithmic, protocol-specific, and system-oriented aspects.

A full description of the seminar, including a detailed listing of topics covered, is available at www.infsec.ch

Criptyque Launches Pryvate™, the First Fully Secure Communications Platform

Criptyque, the secure communications provider, today announced the launch of Pryvate™, the first all-encompassing and fully encrypted communications platform for mobile devices. Pryvate secures communication services across email, voice calls, conference calls, video calls and instant messenger to protect consumers and businesses from cybercriminals, intruders, corporate espionage, hackers and more.

The Pryvate application provides triple-layered security powered by top-of-the-line 4096-bit encryption, with AES 256-bit key management and DH key exchange. It offers truly seamless independent, network agnostic security combined with high quality of service at a low cost.

Initially available on Apple and Google Play stores, the service provides security by generating unique encryption keys on the devices of both users who communicate via the application. Once a key is used, a new key is created for every subsequent interaction and auto renew for every call, IM, message, session etc. Pryvate has no access to users’ encryption keys past, present or future: making it impossible to leak, hack, collaborate or give away keys, which makes all communication through Pryvate totally secure and impervious to hacking. more

Radio Bug in a Pita Steals Laptop Crypto Keys

The list of paranoia-inducing threats to your computer’s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware…and now the rogue falafel sandwich.

Researchers at Tel Aviv University and Israel’s Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor’s power use.

Their spy bug, built for less than $300, is designed to allow anyone to “listen” to the accidental radio emanations of a computer’s electronics from 19 inches away and derive the user’s secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they’re presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past—so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

“The result is that a computer that holds secrets can be readily tapped with such cheap and compact items without the user even knowing he or she is being monitored,” says Eran Tomer, a senior lecturer in computer science at Tel Aviv University. “We showed it’s not just possible, it’s easy to do with components you can find on eBay or even in your kitchen.” more / research paper

Imagine these being built into restaurant and hotel room table tops.

Counterespionage Tip # 529 - Encryption as a Legal Defense

We strongly encourage companies possessing or transmitting personally identifiable information (PII), protected health information (PHI), financial or other sensitive data, including trade secrets, to use encryption. Why? Because, if employed properly, it is both effective and legally defensible.

Why should you use it?

You should use encryption because it gives you legal protection. Few laws specifically require encryption. HIPAA generally doesn’t. State statutes don’t. Nor does the Gramm Leach Bliley Act’s Safeguard’s Rule. Yet if you are not encrypting PII, PHI, or financial data, you are putting yourself at risk. Those laws expect you to take reasonable precautions. And using encryption, and using it properly, is a reasonable precaution when it comes to dealing with sensitive data. HIPAA, for example, provides that encryption should be used where “the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability” of the information or else implement an “equivalent alternative measure if reasonable and appropriate,” and document why encryption wasn’t the best choice. more

Let's YTRAP, mate!

A new kind of party craze has many Australians scrambling for invitations. 

Crypto parties, where people gather to learn online encryption, are attracting everyone from politicians, to business people, to activists.

Two years after US spy agency contractor Edward Snowden leaked documents from the National Security Agency exposing mass global internet surveillance, there is rapidly growing interest in protecting online activity.

There have been crypto parties in Brazil, Germany and the UK, and more than a dozen have already been held in Australia.

Apps like Wickr, Confide and WhatsApp have taken encryption out of the geek lab and to the masses. more

Need A Secure Portable 1 or 2TB Hard Drive? (Yeah, you do.)

iStorage diskAshur Pro 1TB review: one of the most secure and encrypted portable hard drives you can buy...

If you use a portable drive for business, there's a very strong case for keeping that data secure with a hardware-encrypted drive. And when customer data is at stake, there's a legal obligation to button it down to keep it confidential in the event of the drive being lost or otherwise compromised.

Even home users may prefer to keep their files and data to themselves. Which is why encrypted portable drives like the iStorage diskAshur Pro can be such a great idea, with their built-in keypads that need a numerical PIN to be entered before they give up their secrets.

The diskAshur Pro follows a line of similar drives sold in this country (UK) by iStorage Limited, which are rebranded and renamed drives designed by and made for Apricorn Inc in the USA. This latest version is called the diskAshur Pro, otherwise known as the Apricorn Aegis Padlock Fortress, and has been given a FIPS 140-2 security rating.
(more)

Email Encryption Options

Q.  I have a client who wants us to use encryption for emails and attachments (not voice). Do you have a solution?

A. Thanks for asking. Your client has a number of fairly easy and low cost options.

• If they use Microsoft Office Outlook have them read this.
• Mac Mail. Read this.
• Thunderbird. Read this.
• Google Apps. Read this.
• Here are the 2015 reviews for the "Top Ten" 3rd-party email encryption programs.
• This is a good article on how to implement email encryption.

Not knowing the client, their needs, IT expertise, etc. I can't point them to anything specific, but the above links will certainly get them started.

Hope this helps,
Kevin

Interesting Spy Stories of the Week

A former computer technician at HSBC Holdings’ Swiss unit, “celebrated as a hero abroad,” was indicted in Switzerland on charges of industrial espionage and violating bank secrecy laws, prosecutors said... accused of stealing client data in 2008 from HSBC’s Geneva office and passing it to French authorities... (more)

Verizon Voice Cypher, the product introduced with the encryption company Cellcrypt, offers business and government customers end-to-end encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app. The encryption software provides secure communications for people speaking on devices with the app, regardless of their wireless carrier, and it can also connect to an organization's secure phone system. Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they're able to prove that there's a legitimate law enforcement reason for doing so. (more)

US-based cyber security solutions firm FireEye has just uncovered a business espionage racket targeting over 100 corporates, to steal information. The FIN4 group, as FireEye calls the hacking outfit, has a deep knowledge of how business deals are reached and how corporate entities communicate within and outside the organization. Unlike in other attacks, the hacker group is said to be very focused. It targets people who might have access to confidential information. (more)

An electrical engineer for a defense contractor was fined $5,000 and sentenced to 180 hours of community service for falsely accusing his boss of spying for another country. (more)

Blackphone Improves - Now with Apps and a Silent Space!

Blackphone, a joint venture between SGP Technologies, Silent Circle, and others, will introduce world's first privacy-focused app store. 

PrivatOS1.1 empowers users to take control of their privacy, without the tradeoffs...

With most smartphones, separating work and play means compromising either privacy or convenience: either work apps and data live in the same place as personal games and social media apps, or users carry two devices to guarantee privacy and separation. Spaces can separate work life from personal life, a "parents only" space from a kid-friendly one, or any other separation users can dream up – no compromises needed.

A "Silent Space" is featured by default and includes the Silent Suite of apps for encrypted communication, Blackphone app store and a bundle of pre-loaded privacy apps. From there, build additional Spaces as you see fit – for whatever purpose you need – with the Blackphone Security Center and PrivatOS keeping you safe across each one.

The accompanying launch of the Blackphone app store ‐ the first one in the world that focuses solely on privacy-focused applications – solidifies Blackphone's position as a global leader in privacy and security.

Available January 2015, the Blackphone app store features curated apps specifically selected by Blackphone as the most secure privacy-optimized apps on the market. Several pre-loaded apps will be immediately available with the latest PrivatOS update in early 2015. (more)

Coca-Cola Guards Best-Kept Secret in US But Not 55 Laptops - An Employee Sues

Coca-Cola is facing a potential class-action lawsuit after one of the people whose personal data was on one of a clutch of laptops stolen from the company says he suffered identity theft as a result of the breach.

Laptops thefts are a common occurrence for most large organizations but the circumstances surrounding the loss of 55 laptops over a six-year period from the drinks giant’s Atlanta office and a bottling firm it acquired were always puzzling.

Made public on 24 January this year, it turned out that an employee, Thomas William Rogers III, had allegedly taken the machines without their loss being realized. The machines contained the records of 74,000 people, all current or former employees, including 18,000 revealing social security numbers. (more)

Moral - Encrypt your laptop data.

T-Mobile Adds New Encryption to Their Network

T-Mobile seems to have made good on its parent company's (Deutsche Telekom) promise, from last year, to upgrade its 2G networks to a stronger encryption standard 

after the Snowden revelations forced many firms (especially abroad) to take a better look at their security and the security of their customers.

The new encryption standard is called A5/3 and should be much harder to crack, while the old one was called A5/1 and could be cracked even by a single PC back in 1999. In 2008, passive surveillance of the "encrypted" 2G network was already possible.

T-Mobile aims to stop this sort of surveillance with the new A5/3 encryption standard, although it won't be able to stop targeted attacks by IMSI Catchers, which are devices the police, FBI and potential criminals may be using to eavesdrop on phone conversions and texts over a certain local area. (more)

Guess Who's Making the Next Secure Cell Phones

The Scientific and Technological Research Council of Turkey (TÃœBITAK) intends to start producing mobile phones that are protected from wiretapping, Turkish Minister of Science, Industry and Technology Fikri Isik was quoted by Al Jazeera Turk TV channel as saying.

"Turkey also intends to establish production and export smartphones protected from wiretapping to neighboring countries."

The minister did not mention the specific date of the production and the cost of the project. (more)

Not surprising. Turkey has had some serious cell phone eavesdropping problems over the past few years. Many at high levels of government.

Cell Phone Eavesdropping Just Became Really Difficult

Scientists have invented a new method to encrypt telephone conversations that makes it very difficult to 'eavesdrop'. 

Professor Lars Ramkilde Knudsen from Technical University of Denmark (DTU) has invented a new method called dynamic encryption to ensure that all telephone calls are encrypted and eavesdroppers are unable to decrypt information in order to obtain secrets...

The new method expands the AES algorithm with several layers which are never the same... The new system can prove hugely effective in combating industrial espionage, said Knudsen.

Industrial espionage occurs when different players discover and steal trade secrets such as business plans from companies, technical know-how and research results, budgets and secret plans using phone tapping. (more)