Posts

Apple dumps SSL 3.0 for push notifications due to Poodle flaw

From the Cnet.com Article by    

Apple will switch to the TLS encryption standard after disclosure of vulnerability that could expose encrypted data.

Apple said Wednesday it will stop supporting the encryption standard Secure Sockets Layer 3.0 for its push notifications service in response to a vulnerability identified earlier this month in the aging protocol.

Apple announced on its developer site that it will switch on October 29 from SSL 3.0 to Transport Layer Security (TLS), SSL’s more modern, less vulnerable younger sibling. Disclosed earlier this month, the vulnerability — called Poodle — allows encrypted information to be exposed by an attacker with network access.

“Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected,” Apple said in its bulletin. “Providers that support both TLS and SSL 3.0 will not be affected and require no changes.”

To help developers test compatibility, Apple said it has already disabled SSL 3.0 in the development environment on its Provider Communication interface.

Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.

Once the most advanced form of Web encryption in use, the 15-year-old SSL 3.0 is used by few websites anymore, according to a study by the University of Michigan. However, Poodle still poses a threat because attackers can force browsers to downgrade to SSL 3.0.

Twitter already notified its users that it has disabled SSL 3.0 support, while Mozilla advised Firefox users to install a Mozilla security add-on that disables SSL 3.0. Along with Google and Mozilla, the University of Michigan researchers detailed how to disable SSL 3.0 for Internet Explorer.

Mozilla plans to disable SSL 3.0 in Firefox 34, the next version of the open-source browser. It’s currently in beta testing, with a release planned for the end of November. Mozilla has been testing the change in its Aurora version of Firefox, the precursor to the beta version, and so far, “There has been much less screaming about this than I anticipated,” said Mozilla’s Martin Thomson on Wednesday, discussing the change on Mozilla’s bug-tracker. Complaints would come from people who couldn’t use Web sites that required SSL 3.0.

CNET News staff writer Stephen Shankland contributed to this report.

 

 

Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City,

FBI director demands access to private cell phone data

From the cnet.com article ‘FBI director demands access to private cell phone data’ by  ()

To stop terrorists and other criminals, cell phones should have encryption backdoors to enable US government surveillance, argues FBI Director James Comey.

Cell phone encryption will prevent the federal government from stopping terrorists and child molesters unless the government is given special access, Federal Bureau of Investigation Director James Comey told a Washington, DC, think tank on Thursday.

Comey, who noted that “both real-time communication and stored data are increasingly encrypted,” said that the trend by service providers to encrypt their customer data could prevent the government from lawfully pursuing criminals.

“Justice may be denied, because of a locked phone or an encrypted hard drive,” Comey said in his prepared remarks at the Brookings Institute. He explained that while Communications Assistance for Law Enforcement Act (CALEA) from 1994 mandated that telephone companies build wiretapping backdoors into their equipment, no such law forces new communication companies to do the same.

However, he didn’t mention that CALEA was expanded from its original mandate to include broadband Internet and Voice over Internet Protocol (VoIP) systems like Skype in 2004.

Comey called out the default encryption in Apple’s iOS 8, and the optional Android encryption that will become the default for that operating system when Android 5.0 Lollipop is released next month, as blocking law enforcement from fully gathering evidence against suspects. He said that the solution was for tech firms to build “front-doors” on consumer cell phones and smartphones.

“We aren’t seeking a back-door approach,” Comey said, referring to a common term for encryption that has been intentionally weakened. “We want to use the front door, with clarity and transparency, and with clear guidance provided by law,” including court orders, he said.

The spying scandal that kicked off when former National Security Agency contractor Edward Snowden leaked classified surveillance documents has seen tech titans including Apple, Google, Yahoo, Microsoft and Facebook scramble to build tougher encryption into their products. Google’s Eric Schmidt warned that the spying will “break the Internet.”

The current fight over how to secure customer data isn’t the first time that tech firms and the US government have gone to war over encryption. In the 1990s, the “crypto wars” saw tech companies and industry advocates force the US government to repeal laws that deemed cryptography a weapon.

While evoking imagery of children at play and innocents exonerated of false accusations thanks to FBI investigations unencumbered by encryption, Comey derided concerns by the tech community that weakening encryption made devices more susceptible to cyber-criminal attacks.

He acknowledged that “adversaries will exploit any vulnerability they find,” but that those exploits introduced by a backdoor could be mitigated by “developing intercept solutions during the design phase,” he said.

Cryptography expert and University of Pennsylvania professor Matt Blaze disagreed with that assumption. Comey’s speech, he said on Twitter, “didn’t merely dismiss or minimize the technical risks of back doors, it completely ignored them.”

Christopher Soghoian, the American Civil Liberties Union’s principal technologist on its Speech, Privacy and Technology Project, said that Comey’s insistence on weakening encryption opens the data to “foreign governments and criminals,” he said, “whether you call it a ‘front door’ or a ‘back door.'”

Soghoian noted in a blog post from 2010 that CALEA explicitly protects the right of a telecommunications company to build encryption to which only the customer possesses the cryptographic keys.

Comey’s speech appears to want to change that. The FBI didn’t return a request for comment.

Google declined to comment specifically on Comey’s statements, but reiterated its support for encryption. “People previously used safes and combination locks to keep their information secure — now they use encryption. It’s why we have worked hard to provide this added security for our users,” a Google spokesperson said.

Apple didn’t respond to a request for comment.

Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City, Computer Repair Overland Park, Computer Repair Kansas City, PC Repair Overland Park, PC Repair Kansas City

Yahoo and Google Working Together on Unified Encrypted Email For 2015

In light of the recent Mega Hack pulled of by Russian Cyber groups, it only seems intelligent for encryption to become more prevalent and looks who’s leading the way for email security: Google, no big shock there, and Yahoo! (insert collective gasp) and their working together. If your feeling dizzy by the news at this point be sure to place your head between your knees and take deep breathes because its really happening.

From Gizmodo.com’s Jamie Condliffe:

“Google has been working towards offering end-to-end encryption for Gmail. But now, it’s teaming up with Yahoo to make both webmail services encrypted in such a way that they both work together.

Yahoo has been a little slower to the encryption party than Google. But yesterday Alex Stamos, Yahoo’s chief information officer, announced at the Black Hat security conference in Las Vegas that Yahoo Mail will be encrypted end-to-end by some time in 2015. Not just that, it’ll be done in such a way as to make it compatible with Gmail’s, too.

Yahoo’s encryption, then, will mean that all email sent between the two services will be fully encrypted, end-to-end. Given that more than 425 million people use Gmail, and Yahoo Mail usage estimated at 273 million, that’s a lot of extra security.

When two such large organizations join forces on something like this, you know it’s important, and Yahoo has “the hope is that this is open and will be adopted by many others in the email ecosystem.” Which sounds like a great idea; let’s hope end-to-end soon becomes the norm. [WSJ, CNET] “

CTP Locker

CTP-LOCKER: The Hits Keep Coming

Yet another Ransomware virus is out called CTP-Locker. Sold on the Deep Web as a turnkey business available for purchase for a paltry $3000 USD. CTP works like other Ransomware it encrypts all of your data on both internal and external hard drives including mapped network drives. Unlike the crypto family of virus/malware that “deletes” the key after its 72 hour timer expires, CTP instead doubles the ransom as to punish its victims for not paying immediately. As of this article, the recommended cost to decrypt data is .5 bitcoins or $320USD.

Currently CTP is only impacting the world of Windows but Android may be next on the target list as we have seen previous Ransomware make its way to handheld devices. It would seem that this is only the beginning of Android user community’s headaches.

Unfortunately CTP-Locker is very new and there aren’t a lot of reports on how it spreads and from what analysts can tell there isn’t just one way it does attack your PC so user beware. As we have said in previous posts always have a backup of your data and NEVER PAY THE RANSOM!

For more in-depth information about CTP is available HERE

 

Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City, Smarthome Overland Park, Home Automation Overland park, Smarthome Kansas City, Home Automation Kansas City,

 

 

Ransomeware aims at Android

Simplocker, the Cryptolocker of Android Devices

So Encrypting Ransome ware continues its march, this time its going after Android with the Simplocker Virus. Like its Windows PC counterpart, Simplocker encrypts all of your images, documents and audio files that exist on your phones SD card. Luckily as of right now it only appears to be attacking Android users in the Ukraine but it may not be long before it touches down on American shores.

As school is letting out, you may see an increase in the number of unsolicited fake “Microsoft” support phone calls, Moneypack Viruses circulating, or Ransomware on the rise. We often see this because now is the time when your computer is most vulnerable to the uninhibited clicking of little Johnny or Suzie’s web browsing. You may feel overwhelmed but rest assured that should you find yourself in a bind Computer Medics is here to help.

For a more in depth discussion about Simplocker check here