Digital rights advocates are doubling down on their criticism of a US-based ISP suspected of performing encryption downgrade attacks that caused customers' e-mail to remain in plaintext as it passed over the Internet.
Out of the box, both iOS 8 and Android Lollipop (Android L) both have encryption turned on by default. The development has already caused a mild panic in intelligence circles, with the FBI saying it will make cyber investigations much more difficult. On the other hand, encryption from the start will make it easier for enterprise managers to ensure secure data on users’ phones, particularly if they use their own phone for business purposes.
...despite the moniker, SSL is sometimes not that secure. One particular and apparently growing problem is with improper SSL validation. That was the focus of the GoTo bug discovered early this year (and since patched) in Apple’s iOS and Mac OS X. The vulnerability opened up users of those systems to so-called man-in-the-middle (MITM) attacks, in which those with a “trusted” certificate can insert themselves into a communication stream between systems and read its contents.
The researchers made the discovery while monitoring YouTube and website banners for instances where malware writers had actually purchased space to foist their wares on unpatched web users.
Google wants Web sites to become more secure and said Wednesday it will do its part by motivating organizations to build stronger encryption for their sites. The company is giving a pretty significant incentive: it will reward those who do so by ranking them higher than sites lacking the added support to Transport Layer Security, also known as HTTPS encryption. Another way to look at it is Google will punish those who lack the extra encryption.
Privacy has become a topic of much debate in the technology industry since Edward Snowden last year leaked documents to the press showing how pervasive is the federal government's collection of data on U.S. and foreign citizens. The government was also conducting a wide-ranging cyber-spying campaign targeting foreign officials and private citizens around the world. Since then, there have been regular reports about how companies analyze Web traffic and email messages to try to discern what people are saying, thinking and buying.
The summer vacation season is underway and for many of us that means lounging on sunny beaches, reading a book under a shade tree or hitting the road for a new adventure. It can also mean identity theft and other crimes if we aren’t careful about our online activities and protecting our information. Cyber crime does not take a summer vacation; we need to remain vigilant. Fortunately, by following some best practices, we can minimize the risk of becoming the next statistic.
The Massachusetts Supreme Judicial Court (MSJC) ruling only applies to the state. Various other courts at the state and federal level have disagreed as to whether being forced to type in a decryption password is a violation of the Fifth Amendment right to protect against self-incrimination and its state equivalents (such as Article Twelve of the Massachusetts Declaration of Rights).
Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals.