Tag Archives: encryption

Texas Gunman’s Locked Phone Reignites Encryption Debate

Another locked smartphone, another garbage reason for demanding access, and another FBI screwup that made this all possible. Either the FBI is woefully incompetent, incapable of getting into a phone (let alone protecting this country from domestic threats), or they’re intentionally screwing up in order to create demand for a precedence that would let them destroy personal security. In the past, the FBI has stated that they’re more interested in setting up a precedence than getting into these devices.

Let’s back up, what are we talking about here? We’ll start by going back to December 2nd, 2015. That’s the date of the San Bernadino attack where 14 people were killed and 22 injured. This started a long and frustrating attack on personal privacy and even free speech from the FBI. The FBI was trying to get into the shooter’s work phone—an older iPhone 5c with reduced security—despite evidence that the phone had nothing of use for them on it. They botched their attempts to log in, preventing Apple from helping them to bypass the encryption by doing a backup to their servers, which they could then decrypt. After locking the phone themselves, the FBI then laid the blame on Apple, saying they should be forced to make a backdoor through encryption for law enforcement. However, this is a multifaceted problem. 1) Creating such a back door would destroy security on all smartphones, through precedence to force other manufacturers to create these backdoors and through leaks. The lack of encryption would put people in the U.S. in danger of having their phones stolen or hacked, would put people living under an authoritarian regime in trouble, women and minorities, especially, and it would hamper our ability to secure devices for politicians, diplomats, and other targets for hacking from foreign entities. (Of course, after Comey’s attack on Hillary Clinton during the election, maybe he was pro-Russian hacking all along.) 2) Forcing Apple to write software would be a violation of the company’s employees’ right to free speech. Software is protected free speech, and this would be the government forcing a company to create a worse product, something that should have horrified “small government” Republicans. It did—for the most part—not upset them, but, as the party leans more authoritarian than traditionally conservative, and with a few allies on the Democrat’s side, like Barrack Obama, such intrusions on individual rights are becoming more common.

In Texas, a man who shouldn’t have been able to buy a gun was able to do just that, skirting gun control laws due to Air Force’s refusal to enforce necessary gun control through accurate reporting. The shooter then took that gun and went to his mother-in-law’s church, killing many people inside. The FBI got ahold of his phone, botched entry again, and, despite knowing that the man was a domestic abuser with a history of violent and loosely targeted attacks, not a terrorist with a network or help, the FBI is still insisting that the just need to get into the phone.

The FBI’s starting to sound like a child begging for an expensive toy they’ll likely break on Christmas Day: “But please, U.S. citizens, can we please violate your constitutional rights and privacy?”

Continue reading

Major Security Flaw Revealed in Android’s Full Disk Encryption

Both iOS and Android offer full disk encryption. This allows users to protect the contents of their devices with a password. However, the feature is rarely used by Android users, because it slows the device down considerably. On Android, there is no dedicated hardware for encryption or decryption, making it much slower than iOS encryption. Android encryption is also more difficult to enable than iOS encryption. An iOS user simply needs to use a passcode or password with their device to enable encryption, which happens quickly and behind the scenes. iOS users don’t even know they’re doing anything special. On Android, this feature has to be manually enabled, and it makes the device much slower. Benchmarks between iOS and Android devices don’t even encrypt the Android devices, because the scores would be much worse if they did. Thanks to the difficulty and speed differences, many Android users don’t even use encryption. However, those who do will be disappointed that while they’re giving up performance and ease of use, they’re not getting much in the way of security in return. That’s because a massive flaw in the way Qualcomm chips–used in many Android devices–handle encryption keys. Unlike iOS, there is no hardware to protect passwords from being lifted through software, and that makes those keys vulnerable to attack. 
Continue reading

Public WiFi is Insecure. Here’s an Easy Way to Protect Yourself

No public WiFi is secure, but you can change that

Public WiFi is insecure, even when it requires a password. If there is no password, nothing is encrypted over the network. If there’s no password to join the WiFi, but you need a username or password to access the Internet (popular in hotels), it’s still not secure. This is really just an open network, it just requires a login through a portal so the hotel can track who’s online. There’s no actual security here. If the WiFi requires a password, but the password is easy to find, such as on a card on the table, popular in restaurants, this is still insecure. The channel will be encrypted, but a hacker could create another WiFi network with the same name and password, and your device might join the wrong network. The hacker’s network would be capable of cracking it’s own encryption easily, and you’d be handing your data to the hacker directly. The hacker might forward your requests to the actual services, so you’d never know they were collecting all of the data going to and from your computer. Finally, there’s the most secure public option, which is like having the most fuel efficient SUV. If the owner of the WiFi network must be asked for a password, the hacker would have to do the same to attempt the attack described above. This makes their hack less anonymous, and would scare away some hackers. However, it’s not enough to guarantee that a hacker wouldn’t make a fake network to grab information.

It seems there’s no way to win. All forms of public WiFi could have someone watching every bit (pun intended) of information leaving your computer, going through the WiFi, and reaching the Internet. Fortunately, there is something you can do to thwart hackers, even on the least secure WiFi option. It’s the same tool that has been used in information security since security was needed: encryption. If you encrypt all the data leaving your computer to go through the WiFi with strong encryption, there’s not a hacker in the world who could figure out what you were doing. You’re probably not a software engineer, so hearing that you have to encrypt something might sound daunting. But fret not, that’s actually extremely easy, because a bunch of software engineers already did all the legwork. All you have to do is install an app and sign up.
Continue reading

FBI Admits They Can’t Hack New iOS Devices

A tool used to break into iPhones

FBI director James Comey spoke at Kenyon College in Ohio recently, where he revealed details on how the FBI carried out their hack of the iPhone 5c owned by the employer of the San Bernardino shooter. He stated, contrary to previous reports I've seen, that the iPhone 5c was running iOS 9 after all. He revealed that the FBI actually purchased a “tool” from a third party and this third party tool only works on the iPhone 5c. According to Comey, the FBI does not want to give Apple information on the hack, because then Apple would close the security hole to protect their customers. However, if the hack doesn't work on the latest iPhones running the latest operating systems, Apple may have already fixed the issue. Still, the FBI isn't made up of complete fools, though they've been acting like it, and they may have a decent hack on their hands, and a good reason to hold on to it, and that's potentially bad news for anyone with an iPhone 5c, or an older iOS device.

Continue reading

WhatsApp Now Offers End-to-End Encryption

When it comes to securing your communications, nothing beats end-to-end encryption. End-to-end encryption means no one can read communications sent between two or more people. It works with a set of keys. Everyone involved with the communication has two keys, a public and private key. These keys are used to encrypt and decrypt messages. In the case of WhatsApp, iMessage, Facetime, Signal, and other messaging apps, public keys for all users are encrypted and stored on the company's servers. Let's say Alice wants to send a message to Bob. First, her phone will copy Bob's public key from the server, and use that to encrypt the message. Then, it sends the encryption message over the servers to Bob. Once Bob receives the encrypted message, he decrypts it with his private key. His private key is shared with no one, so only he can decrypt the message.

There are other implementations of this, in which there are no servers in the middle. For this to work, users must give and store each other's keys on their own devices. This may work for hyper-secure messaging between two computer users, but it's not feasible for normal smartphone users, and it doesn't work well with social apps like WhatsApp. However, there are methods that companies like WhatsApp and Signal take to ensure that everyone's messages are secure. Apple's iMessage, on the other hand, does not use these methods, which creates a security vulnerability in a system that is normally impenetrable.

WhatsApp just enabled encryption over chat and video, ensuring that their users are completely secure, and all sent messages are private.

Continue reading

Encrypt Your Mail With ProtonMail

encrypted-email-phoneEncryption has been in the mainstream news thanks to the FBI’s case against Apple. The FBI wanted into an iPhone, and thought the only way was if Apple designed a way for them to bypass security measures and decrypt the iPhone in question with help from an unnamed third party. The FBI managed to get in without the help of Apple. They likely use an old bug that has already been patched, but if the idea of hackers being able to access devices sounds unappealing, you may want to start using more secure services. That includes email that is protected with strong end-to-end encryption. ProtonMail is a company offering just that. The company uses strong encryption that can only be read by the recipients using public-private keys, a sort of handshake that ensures a message can only be read by the person the message was intended for. ProtonMail is a free service, and it’s a great way to ensure your communication is secure.

Continue reading

FBI Not Sure it Can Hack Arkansas iPhone Now

“The FBI frequently receives requests from our local partners to provide expert technical assistance. Such requests are considered on a case by case basis. At the time of the request, no information was provided regarding the device models or operating systems, so FBI Little Rock was not able to state if they would be able to provide assistance. The FBI does not currently have possession of the devices.”

The FBI may have jumped the gun when it offered to hack two iOS devices that may have been used for commication between two suspected murderers. They're now not sure if they can hack the devices in question. This tells us something very important about the hack the FBI is using: it won't work on newer devices or updated versions of iOS. If the FBI can only hack into older devices, Apple has likely already patched the security flaw the FBI was using. This is an important lesson for iOS owners. If you're using an iPhone, make sure it's up to date, it could keep hackers out.

Source: cnet