Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label End To End Encryption. Show all posts
End To End Encryption
cloud storage cloud storage services Cyber Security Data Storage Data Synchronization E2EE End To End Encryption

Security Risks Discovered in Popular End-to-End Encrypted Cloud Storage Platforms

 

Recent cryptographic analysis by researchers at ETH Zurich has uncovered significant security vulnerabilities in five major end-to-end encrypted (E2EE) cloud storage platforms: Sync, pCloud, Icedrive, Seafile, and Tresorit. These platforms are collectively used by over 22 million people and are marketed as providing secure data storage. However, the study revealed that each of these platforms has exploitable flaws that could allow malicious actors to gain access to sensitive user data, manipulate files, or inject harmful data. The research was conducted under the assumption that a malicious attacker could control a server with full ability to read, modify, and inject data. 

This is a plausible scenario in the case of sophisticated hackers or nation-state actors. The researchers found that while these platforms promise airtight security and privacy through their E2EE models, their real-world implementation may fall short of these claims. Sync, for instance, exhibited critical vulnerabilities due to unauthenticated key material, which allows attackers to introduce their own encryption keys and compromise data. It was found that shared files could be decrypted, and passwords were inadvertently exposed to the server, compromising confidentiality. Attackers could also rename files, move them undetected, and inject folders into user storage. pCloud’s flaws were similar, with attackers able to overwrite private keys, effectively forcing encryption using attacker-controlled keys. 

This, coupled with public keys that were unauthenticated, granted attackers access to encrypted files. Attackers could also alter metadata, such as file size, reorder file chunks, or even inject files. Icedrive was shown to be vulnerable to file tampering due to its use of unauthenticated CBC encryption. Attackers could modify the contents of files, truncate file names, and manipulate file chunks, all without detection. Seafile also presented several serious vulnerabilities, including susceptibility to protocol downgrade attacks, which made brute-forcing passwords easier. The encryption used by Seafile was not authenticated, enabling file tampering and manipulation of file chunks. As with other platforms, attackers could inject files or folders into a user’s storage space. 

Tresorit fared slightly better than its peers, but still had issues with public key authentication, where attackers could potentially replace server-controlled certificates to gain access to shared files. While Tresorit’s flaws didn’t allow direct data manipulation, some metadata was still vulnerable to tampering. The vulnerabilities discovered by the ETH Zurich researchers call into question the marketing promises made by these platforms, which often advertise their services as providing the highest level of security and privacy through end-to-end encryption. In light of these findings, users are advised to exercise caution when trusting these platforms with sensitive data, particularly in cases where the server is compromised.  

The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings in April 2024, while Tresorit was informed in late September 2024. Responses from the vendors varied. Icedrive declined to address the issues, Sync is fast-tracking fixes, and Tresorit is working on future improvements to further safeguard user data. Seafile has promised to patch specific vulnerabilities, while pCloud had not responded as of October 2024. While no evidence suggests that these vulnerabilities have been exploited, the flaws are nonetheless concerning for users who rely on these platforms for storing sensitive data. 

The findings also emphasize the need for ongoing scrutiny and improvement of encryption protocols and security features in cloud storage solutions, as even end-to-end encryption does not guarantee absolute protection without proper implementation. As more people rely on cloud storage for personal and professional use, these discoveries are a reminder of the importance of choosing platforms that prioritize transparent, verifiable security measures.
Read more »
Telegram Messenger
App privacy Cyber Security data security End To End Encryption Messaging Apps Secure Messenger Telegram Telegram Messenger

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

 

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer encryption, users must manually activate this feature, and it doesn’t apply to group chats or desktop versions. Additionally, Telegram’s encryption is proprietary and not open to public audits, making it hard to verify its security. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception. 

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages. 

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates. 

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.
Read more »
User Security
Data Privacy End To End Encryption Mobile Security SMS Attack User Security

Here's Why You Should Stop Using SMS Messaging

 

Cybersecurity is more critical than ever in today's digital world. However, one commonly employed but often missed area of weakness could be something you use every day. Since Nokia made the technology available to the public in 1993, Short Message Service, or SMS messaging, has been the major way people have texted. You might be surprised to hear that it's one of the riskiest methods of mobile communication given that it's typically included by default on most mobile devices. 

However, if you intend to stay safe and private, you should avoid using it. Here are five of the reasons why. 

Lacklustre end-to-end encryption

SMS is not encrypted from beginning to end. SMS messages, in reality, are frequently sent as plain text. This means that there are no safeguards in place and that anyone with the necessary knowledge can intercept an SMS. If your mobile provider employs encryption, it is most likely a poor and outdated method that is only used during transit. 

SMS relies on obsolete technology 

SMS technology is based on a set of signalling protocols known as Signalling System No. 7 (SS7), which was established in the 1970s. It is out of date and highly insecure, making it exposed to different forms of cyberattacks. As Ars Technica reported at the time, in 2017, a hacker gang used an SS7 security hole to circumvent two-factor authentication and drained people's bank accounts. Similar attacks have taken place several times over the years. 

The government can read your SMS texts 

Why haven't the security flaws in SS7 been fixed? One probable explanation is that regulators are uninterested in doing so since governments all across the world eavesdrop on their citizens. Whether or not this is the true reason, it is undeniable that your government could read your SMS texts if it so desired. Law enforcement in the United States does not even require a warrant to examine correspondence older than 180 days.Congressional Representative Ted Lieu presented legislation to stop this in 2022, but it was unsuccessful. 

Messages stored by your carrier 

SMS texts are saved by carriers for a set period of time (the length varies depending on the carrier). Metadata, which is information on the data itself, is kept much longer. If you aren't concerned about police enforcement reading your texts, you should be aware that your mobile provider can as well. While it is true that laws, regulations, and internal rules restrict mobile providers from spying on users, unauthorised access and breaches do occur. 

SMS message cannot be unsent 

Unsending an SMS message is not possible. If the recipient receives it, it will remain on their phone indefinitely unless they delete it manually. It's one thing to send a terrible and embarrassing SMS, but what if the recipient's phone has been hacked or otherwise compromised? And what if you revealed personal information in an SMS that you should not have revealed? This is probably not a scenario you want to think about. 

Switch from SMS to a secure messaging app 

SMS should not be used by anyone who is concerned about their personal cybersecurity and wishes to safeguard their privacy. The difficulty is that it provides a level of ease that alternatives simply cannot equal, at least for the time being. However, in most cases, that is not a sufficient justification to employ it. 

Secure, end-to-end encrypted messaging apps outperform SMS in practically every other way. And, if you have no other choice, use SMS wisely. Do not share information that you would not want a third party to have access to, and remember to take additional security steps.
Read more »
UK Home Secretary
Cyber Security Data Privacy End To End Encryption Tech Giant UK Home Secretary

UK Home Secretary Clashes with Meta Over Data Privacy

 

Suella Braverman, the UK Home Secretary, wants to "work constructively" with Meta on the company's plans to implement end-to-end encrypted (E2EE) messaging in Instagram and Facebook by the end of the year, which she thinks will provide a "safe haven" for paedophiles and harm children. 

Meta said it will continue to share relevant details with law enforcement and child abuse charities. Braverman has written to tech giant to voice her worries. 

A number of charities and technology professionals have signed the letter, which begs the firm to disclose more details on how it will keep consumers safe. 

Braverman told Times Radio earlier this week that E2EE might lead to platforms being "safe havens for paedophiles."

"Meta has failed to provide assurances that they will keep their platforms safe from sickening abusers," Braverman added, urging parents to "take seriously the threat that Meta is posing to our children. It also must develop appropriate safeguards to sit alongside their plans for end-to-end encryption.” 

Braverman stated that the government will use the powers given to it by the new Online Safety Bill legislation, which allows telecoms regulator Ofcom to compel tech companies to violate E2EE and hand over information linked to probable abuse cases if necessary. 

It is currently unclear whether this is possibly feasible without incorporating back-door access to such systems, which, according to tech companies, creates security and privacy issues. 

Meta stated that it has a "clear and thorough approach to safety" that focuses on "sharing relevant information with the National Centre for Missing and Exploited Children and law enforcement agencies." 

Braverman's intervention comes a day after the Online Safety Bill was given final approval by parliament and will now receive royal assent before becoming law. Tech firms such as Meta have decried the bill's threat to E2EE, with WhatsApp threatening to leave the UK if it becomes law. 

The government appeared to make a partial retreat earlier this month, stating it would only employ these powers as a "last resort" and when a technology that permits information to be extracted in a secure manner is established. 

Prime Minister Rishi Sunak stated his support for the measure earlier this year, in April. "I think everyone wants to make sure their privacy is protected online," Sunak said. "But people also want to know that law enforcement agencies can keep them safe and have reasonable ways to do so, and that's what we're trying to do with the Online Safety Bill." 

Meta said in August that by the end of the year, it would be implementing E2EE on private communications across all of its platforms.
Read more »
User Safety
Cyber Security data security End To End Encryption Mail Servers ransomware attacks User Safety

Cloud Email Services Strengthen Encryption to Ward Off Hackers

 

The use of end-to-end encryption for email and other cloud services is expanding. This comes as no surprise given that email is one of the top two cyberattack vectors. 

Mail servers made up 28% of all affected hardware, according to Verizon's annual 2022 Data Breach Investigations Report, and 35% of ransomware activities involved email. In its 2022 report, the EU Agency for Cybersecurity noted that ransomware is responsible for 10 terabytes of data theft each month, with 60% of businesses likely having paid a ransom. An updated Gartner study from 2021 found that 40% of ransomware attacks begin with email.

To address these issues, Google, Microsoft, and Proton, whose Proton Mail service was a pioneer in secure email, expanded their end-to-end encryption offerings. 

Google revealed a beta of client-side encryption services for Gmail on the web in a blog post last month. Up until January 20, 2023, customers of Google Workspace Enterprise Plus, Education Plus, and Education Standard may apply for the beta.

The tech giant stated that client-side encryption "helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs," noting that it encrypts all data at rest and in transit in Google Workspace between its facilities. 

Moreover, it claims that Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar already support client-side encryption. Users simply need to click the lock icon and choose the option for additional encryption, according to Google, in order to add client-side encryption to any message. Writing and including attachments work as expected.

Microsoft, which last updated its message encryption in 2019, declared in April of last year that updates to Windows 11 would include security patches to address phishing and malware threats. 

If so, Microsoft will probably also include end-to-end encryption since Office 365 Message Encryption currently uses Transport Layer Security encryption. Despite the fact that this service, according to the provider, enables users to encrypt and rights-protect messages intended for internal and external recipients using Office 365, non-Office 365 email applications, and web-based email services like Gmail.com and Outlook.com, it does not shield users from phishing or malware attacks as well as E2EE. 

Google's announcement came after that of Proton, a platform for encrypted cloud storage that was introduced in 2013 by CEO Andy Yen in Geneva, Switzerland. With a focus on mobile devices, the company increased its encryption offerings last fall. These new additions included secure cloud storage and a secure calendar feature, both of which have apps for iOS and Android devices. 

Users can safely upload, save, and share files to and from their phone using Proton Drive, a free encrypted cloud service that was made available in late September and made its iOS and Android debuts in December. 

The three main functions of Proton Drive are as follows:

  • Any uploaded file on the user's device is encrypted before it is stored on Proton servers. 
  • Metadata such as file and folder names, file extensions, file sizes, and thumbnails are encrypted. 
  • File expiration and viewing passwords are included, allowing for secure sharing with non-Proton users.

Proton said that since the beta launch of Proton Drive last September, with over 500,000 users participating, it has seen an average of one million files uploaded per day, roughly half of which are photos.

Additionally, it offers two paid levels of service for its encrypted drive, Drive Plus with 200GB storage for $4.99/month or $47.88/year and Proton Unlimited with 500GB for $11.99/month or $119.88/year, all of which are available to individual users.
Read more »
WhatsApp
End To End Encryption Government Database internet outage Message encryption Proxy Server User Privacy Vulnerabilities and Exploits. WhatsApp

WhatsApp Allows Communication Amid Internet Outages

On January 5, WhatsApp revealed a new feature that enables users to connect via proxy servers so they may continue using the service even when the internet is restricted or disrupted by shutdowns.

Concept of Whatsapp proxy 

When selecting a proxy, users can connect to WhatsApp via servers run by individuals and groups devoted to promoting free speech throughout the world. According to WhatsApp, using a proxy connection preserves the app's privacy and security settings, and end-to-end encryption will continue to secure private conversations. As per the firm, neither the proxy servers, WhatsApp, nor Meta will be able to see the communications that are sent between them.

When it comes to assisting users when WhatsApp is prohibited in a country, the messaging service stated, "If WhatsApp is restricted in your nation, you can utilize a proxy to connect and communicate with loved ones. End-to-end encryption will still be used to protect private communications while using a proxy connection to WhatsApp."

In accordance with the new rules, internet service providers had to remove anything that law enforcement regarded to be illegal and cooperate with police investigations, which included locating the authors of malicious materials.WhatsApp countered this claim by saying that it will continue to secure users' private messages and would not compromise their security for any government.

According to Juras Jurnas of the proxy and online data collecting company Oxylabs, "For persons with government restrictions on internet access, such as was the situation with Iran, utilization of a proxy server can help people keep a connection to WhatsApp as well as the rest of the public, internet free."

After activists in response to the death of Mahsa Amini, 22, while in police detention, the Iranian government restricted access to Instagram and WhatsApp last year. The suspension of Article 370 of the Indian Constitution by the Indian Parliament resulted in a shutdown of the internet in the state of Jammu & Kashmir. This state-imposed lockdown was implemented as a precautionary measure. Only two districts, Ganderbal and Udampur, have 4G availability. After 552 days without internet or with slow internet, the former state was finally connected to 4G on February 6th, 2021.

The business stated it is working to ensure that internet shutdowns never occur and that individuals are not denied human rights or prevented from seeking immediate assistance as these scenarios arise in various locations throughout the world. 

Internet platforms had to comply with police investigations, including locating the authors of malicious information and destroying anything that authorities had determined to be illegal, according to the new legislation.WhatsApp countered that it would maintain the privacy of users' private messages and would not compromise its security for any government.






Read more »
Risk Management
API Cyber Security Email services End To End Encryption Risk Management

Kiteworks Leased Email Encryption Totemo

 

Kiteworks, the leading email encryption gateway supplier, regulates and secures vital digital content traveling within and out of global corporations, and used by hundreds of the largest multinational organizations in the German, Austrian, and Swiss markets. Kiteworks enables businesses to effectively manage risk and assure compliance with all the sensitive content sent, shared, received, and saved. 

This is accomplished using the Kiteworks platform, which unifies, tracks, controls, and secures all sensitive digital content communications sent through the platform via email, file share, managed file transfer, web forms, and application programming interfaces (APIs).

The totemo purchase expands the Kiteworks platform's email functionality beyond user or plug-in activation within the platform to the native mail client, offering automatic coverage of any sensitive digital content sent and received via email. 

Email content metadata on individuals, apps, devices, networks, protocols, and files will be centrally digested and normalized as totemo's technology will be integrated into the Kiteworks platform in the coming months. To limit the danger of private information being exposed and to meet regulatory compliance requirements, companies can establish centralized and comprehensive tracking and controls. 

Businesses that use this integrated intelligence will strengthen and expand the total cyber-defense strategy, extending privacy protection and compliance beyond the data center, cloud, and wide-area network (WAN) perimeters to third-party sensitive content communications. 

"Acquisition of totemo automates and extends the platform's email encryption with S/MIME, OpenPGP, and TLS protocols," explains Jonathan Yaron, Chairman and Chief Executive Officer of Kiteworks. The acquisition will have a major impact on the governance, compliance, and security industries. Customers may manage and regulate critical information that is distributed both internally and internationally using a mix of technologies from two industry leaders in content communications. 

Kiteworks' ability to allow customers to manage risk and meet regulatory requirements throughout their sensitive content communications infrastructure is strengthened by the synergy between the two businesses' product offerings.

Enterprise-ready, end-to-end encryption and automatic conversion across a wide range of encryption protocols are added to the Kiteworks platform by totemo. No other provider can match this set of skills, much alone the associated business benefits like compliance, risk mitigation, and operational efficiency. 

The conclusion is that businesses must do more to safeguard their sensitive data. CIOs, CISOs, and risk and compliance managers are under increasing pressure to secure sensitive data and demonstrate regulatory compliance while reducing friction in employees' day-to-day procedures. It must safeguard content when it is at rest, in transit, and in use. 

It also needs to safeguard content during file transfers and file sharing, within APIs, and on web forms, in addition to email. Totemo's email encryption gateway technology will be integrated into the Kiteworks platform, resulting in the most comprehensive private content communications governance, compliance, and risk protection available in the market.
Read more »
Technology
End To End Encryption Secure Messenger Signal Technology

Signal Foundation owner says Telegram is not as secure as it claims

 Marlinspike stated that the security of the Telegram service is low since the personal data of users is on servers without any protection. According to him, this data includes contacts, media files, and every message that was created in unencrypted form. Allegedly, system administrators and engineers have easy access to this information.

Moxie Marlinspike believes that Telegram uses the dubious security protocol MTProto version 2.0, and end-to-end encryption E2EE does not always work.

The developer of the Telegram messenger, Pavel Durov, gave the founder of Signal an answer that simply shocked. He stated that the service stores all messages and user data in the public domain and does not assign itself the status of "the most secure messenger."

Durov wrote that his company still does not disclose personal data to third parties and third-party organizations. He said that any messenger does not give complete privacy to the user. For example, US companies work closely with the FBI and the NSA. According to the legislation of this country, they allow the introduction of backdoors that can become available to government agencies without notification and a court case.

Pavel noted that the Signal Foundation is sponsored by the CIA government agencies and can provide any data even without an official request.

Indeed, there is an opinion that the Signal Foundation is a project of the CIA, which, through intermediary organizations, organizes financial support and implements its agents.

It should be noted that Signal itself was hacked two years ago. The Israeli company Cellebrite, a developer of spyware, has gained access to the messages and attachments of the messenger. At the moment, the company cooperates with the governments of many countries and can provide access to the service.

Read more »
Subscribe to: Posts (Atom)