The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: PGP encryption

Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks

Over Dozen Popular Email Clients Found Vulnerable to Signature Spoofing Attacks
April 30, 2019Swati Khandelwal
A team of security researchers has discovered several vulnerabilities in various implementations of OpenPGP and S/MIME email signature verification that could allow attackers to spoof signatures on over a dozen of popular email clients. The affected email clients include Thunderbird, Microsoft Outlook, Apple Mail with GPGTools, iOS Mail, GpgOL, KMail, Evolution, MailMate, Airmail, K-9 Mail, Roundcube and Mailpile. When you send a digitally signed email, it offers end-to-end authenticity and integrity of messages, ensuring recipients that the email has actually come from you. However, researchers tested 25 widely-used email clients for Windows, Linux, macOS, iOS, Android and Web and found that at least 14 of them were vulnerable to multiple types of practical attacks under five below-mentioned categories, making spoofed signatures indistinguishable from a valid one even by an attentive user. The research was conducted by a team of researchers from Ruhr University Bochum and

Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails

Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails
May 14, 2018Swati Khandelwal
With a heavy heart, security researchers have early released the details of a set of vulnerabilities discovered in email clients for two widely used email encryption standards—PGP and S/MIME—after someone leaked their paper on the Internet, which was actually scheduled for tomorrow. PGP and S/MIME are popular end-to-end encryption standards used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication. Before explaining how the vulnerability works, it should be noted that the flaw doesn't reside in the email encryption standards itself; instead, it affects a few email clients/plugins that incorrectly implemented the technologies. Dubbed eFail by the researchers, the vulnerabilities, as described in our previous early-warning article , could allow potential attackers to decrypt the content of your end-to-end encrypted emails in plaintext, even for messages sent in the past. According to the paper released

Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext

Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext
May 14, 2018Swati Khandelwal
Note— the technical details of the vulnerabilities introduced in this article has now been released, so you should also read our latest article to learn how the eFail attack works and what users can do to prevent themselves. An important warning for people using widely used email encryption tools—PGP and S/MIME—for sensitive communication. A team of European security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools that could reveal your encrypted emails in plaintext. What's worse? The vulnerabilities also impact encrypted emails you sent in the past. PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication. S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed

Dutch Police Seize Another Company that Sells PGP-Encrypted Blackberry Phones

Dutch Police Seize Another Company that Sells PGP-Encrypted Blackberry Phones
May 11, 2017Swati Khandelwal
The Dutch police arrested four suspects on Tuesday on suspicion of money laundering and involvement in selling custom encrypted BlackBerry and Android smartphones to criminals. The Dutch National High Tech Crime Unit (NHTCU), dedicated team within the Dutch National Police Agency aims to investigate advanced forms of cyber crimes, carried out investigation and found that the phone brand "PGPsafe" was selling customized BlackBerry and Android smartphones with the secure PGP-encrypted network to the "possible criminal end users." PGP (Pretty Good Privacy) is an open source end-to-end encryption standard that can be used to cryptographically sign emails, documents, files, or entire disk partitions in order to protect them from being spied on. Selling custom security-focused encrypted phones does not involve any crime itself, but Dutch police have discovered evidence, which indicates over the years such phones had been sold to organized criminals involved in

How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation

How Dutch Police Decrypted BlackBerry PGP Messages For Criminal Investigation
March 10, 2017Swati Khandelwal
The Dutch police have managed to decrypt a number of PGP-encrypted messages sent by criminals using their custom security-focused PGP BlackBerry phones and identified several criminals in an ongoing investigation. PGP, or Pretty Good Privacy, an open source end-to-end encryption standard that can be used to cryptographically sign emails, files, documents, or entire disk partitions in order to protect them from being spied on. You'll be surprised to know how the police actually decrypted those PGP messages. In April last year, the Dutch Police arrested a 36-year-old man on suspicion of money laundering and involvement in selling customized BlackBerry Phones with the secure PGP-encrypted network to criminals that were involved in organized crimes. At the time, the police also seized a server belonging to Ennetcom, the company owned by Danny Manupassa, which contains data of end-to-end encrypted communications belong to a large number of criminal groups. Later, in Januar

Apple hires Encryption Expert to Beef Up Security on its Devices

Apple hires Encryption Expert to Beef Up Security on its Devices
May 25, 2016Mohit Kumar
The FBI and other law enforcement agencies have waged legal war on encryption and privacy technologies. You may have heard many news stories about the legal battle between Apple and the FBI over unlocking an iPhone that belonged to the San Bernardino shooter. However, that was just one battle in a much larger fight. Now, in an effort to make its iPhone surveillance-and-hack proof, Apple has rehired security expert and cryptographer Jon Callas , who co-founded the widely-used email encryption software PGP and the secure-messaging system Silent Circle that sells the Blackphone. This is not Apple's first effort over its iPhone security . Just a few months back, the company hired Frederic Jacobs , one of the key developers of Signal — World's most secure, open source and encrypted messaging app . Now Apple has rehired Callas, who has previously worked for Apple twice, first from 1995 to 1997 and then from 2009 to 2011. During his second joining, Callas designed a ful

5 Things Google has Done for Gmail Privacy and Security

5 Things Google has Done for Gmail Privacy and Security
March 29, 2016Unknown
Over the past few years, Google has increasingly improved the online security and protections of its Gmail users. Besides two-factor authentication and HTTPS, Google has added new tools and features to Gmail that ensures users security and privacy, preventing cyber criminals and intelligence agencies to hack email accounts . 1. Enhanced State-Sponsored Attack Warnings Apple vs. FBI case urged every company to beef up the security parameters to prevent their services from not just hackers but also the law enforcement. Google for a while now has the capability to identify government-backed hackers , and notify potentially affected Gmail users so they can take action as soon as possible. Google recently announced on its blog post that it will alert Gmail users about the possibility of any state-sponsored attack by showing them a full-page warning with instructions about how to stay safe — very hard to miss or neglect. Meanwhile, the company revealed that ove

The Best Way to Send and Receive End-to-End Encrypted Emails

The Best Way to Send and Receive End-to-End Encrypted Emails
March 18, 2016Swati Khandelwal
How many of you know the fact that your daily e-mails are passaged through a deep espionage filter? This was unknown until the whistleblower Edward Snowden broke all the surveillance secrets, which made privacy and security important for all Internet users than ever before. I often get asked "How to send encrypted email?", "How can I protect my emails from prying eyes?" and "Which is the best encrypted email service?". Although, there are a number of encryption tools that offers encrypted email service to ensure that no one can see what you are sending to someone else. One such tool to send encrypted emails is PGP ( Pretty Good Privacy ), an encryption tool designed to protect users' emails from snooping. However, setting up a PGP Environment for non-tech users is quite a difficult task, so more than 97% of the Internet users, including government officials, are still communicating via unencrypted email services i.e. Gmail, Ya

New Facebook feature Encourages users to use PGP for Encrypted Communications

New Facebook feature Encourages users to use PGP for Encrypted Communications
June 01, 2015Mohit Kumar
In this era of Global surveillance, we all are worried about the privacy of our communication and sensitive data. There is no guarantee that our data is not being snooped on, but there is a solution — PGP (Pretty Good Privacy). PGP (Pretty Good Privacy) is more than 20 years old technology but is yet not widely adopted. PGP is an open source end-to-end encryption standard to encrypt e-mails, protecting you against companies, governments, or criminals spying on your Internet connection. But... ...the tool is too complicated for most of the people to implement and use. However, Facebook is now encouraging its users to use PGP and communicate by sending encrypted emails, adding the popular OpenPGP email encryption standard as an extra layer of security for the cautious. According to the latest announcement , you can now upload your Public PGP key to your Facebook profile so that anyone with your public key can send you encrypted emails. By giving such option to

GnuPG Email Encryption Project Relies on 'Werner Koch', and He is Running Out of Funds

GnuPG Email Encryption Project Relies on 'Werner Koch', and He is Running Out of Funds
February 06, 2015Mohit Kumar
Werner Koch , the man who authored the free email encryption software , is running out of funding to continue the development of his crucial open-source GNU Privacy Guard (GnuPG) encryption tools.The code works on plenty of operating systems from Linux and FreeBSD to Windows and OS X. The popular Gnu Privacy Guard (GnuPG or GPG) email encryption software is the same used by the former United States National Security Agency (NSA) contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement authorities. GPG uses the OpenPGP standard to safeguard the communications of millions of people, including journalists, dissidents and security-minded people, around the world from eavesdroppers and other miscreants. GPG EMAIL ENCRYPTION RELIES ON THIS GUY ONLY Werner Koch has been maintaining and improving the code of his own secure email software since its initial development in 1997, and since then he has worked at very low wages, but is now

Google Releases Chrome Extension for End-To-End Email Encryption

Google Releases Chrome Extension for End-To-End Email Encryption
December 18, 2014Mohit Kumar
Back in june this year, Google announced an alpha Google Chrome extension called " End-to-End " for sending and receiving emails securely, in wake of former NSA contractor Edward Snowden's revelations about the global surveillance conducted by the government law-enforcements. Finally, the company has announced that it made the source code for its End-to-End Chrome extension open source via GitHub . Google is developing a user-friendly tool for individuals to implement the tough encryption standard known as Pretty Good Privacy (PGP) in an attempt to fully encrypt people's Gmail messages that can't even be read by Google itself, nor anyone else other than the users exchanging the emails. PGP is an open source end-to-end encryption standard for almost 20 years, used to encrypt e-mail over the Internet providing cryptographic privacy and authentication for data communication, which makes it very difficult to break. But implementing PGP is too complicated for m

Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'

Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'
August 19, 2014Wang Wei
A Senior cryptography expert has claimed multiple issues with PGP email encryption - an open source end-to-end encryption  to secure email. Before continuing, I would like to clarify that covering this topic doesn't mean you should stop using PGP encryption , instead we are bringing to you what Security researcher has argued about its fundamental implications.  PGP or Pretty Good Privacy , a program written in 1991, uses symmetric public key cryptography and hashing that allow both Privacy and Security , as well as Authenticity . Privacy and Security ensure users to exchange messages securely and Authenticity proves the origin of those messages. But PGP is a complicated multi-step process, which requires users to keep track of the public keys of other users in order to communicate. Despite clumsiness of the PGP implementation, the popular Internet giants such as Google and Yahoo! have looked forward to integrate it into their popular email services. A respected research profes

End-to-End Encryption for Yahoo Mail Coming Next Year

End-to-End Encryption for Yahoo Mail Coming Next Year
August 08, 2014Swati Khandelwal
Today at Black Hat 2014 hacking conference, Yahoo! Chief Information Security Officer Alex Stamos announced that the company will start giving its consumers the option of end-to-end encryption in its Mail service by next year. Google showed off a PGP-based encryption plugin for Gmail back in June. The Purple-hued company will offer encryption via a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail, Alex Stamos told the audience at his talk titled Building Safe Systems at Scale - Lessons from Six Months at Yahoo. The PGP plugin will be native in mobile apps allowing Gmail and Yahoo mail to easily exchange encrypted email. Infact, the email providers themselves won't be able to decrypt messages exchanged between its users. Only senders and recipients will be able to read the messages. In short, it means that Yahoo email users can reportedly send safe and secure messages between Yahoo users and also Gmail adherents without fear, wh

Google offers Chrome Extension for End-To-End Gmail Encryption

Google offers Chrome Extension for End-To-End Gmail Encryption
June 04, 2014Swati Khandelwal
Everything we do online, whether chatting on phone, talking via video or audio, sending messages on phones or emails are being watched by Governments and Intelligence agencies. However, many Internet giants offer encrypted environment in an effort to protect our online data from prying eyes, but still those companies can read our data stored into their servers. But, there is a great news for Gmail users. On Tuesday, Google has announced two major privacy enhancements in its Gmail and this new push for its email service will even protect our data and communication from Google itself. With the ongoing concerns about privacy and the pervasiveness of email communications, Google already provides encryption for its Gmail called Transit encryption (HTTPS). In which only the transmission of emails sending or receiving is protected by the transit encryption but not the content of the email. Few Months back, Google itself admitted that their automated systems read our email c

Google Working On End-to-End Encryption for Gmail Service

Google Working On End-to-End Encryption for Gmail Service
April 22, 2014Swati Khandelwal
Constant password breaches and Snowden revelations about Government Surveillance have raised many questions that why don't cloud and email Services encrypt the data stored on their server?  Revelations forced the popular Internet Giants such as Google and Yahoo to contemplate on the privacy and security issues and in response companies started enhancing their encryption standard by enabling HTTPS by default and removed the option to turn it off. A few days back, Google admitted that their automated systems read your content, including incoming and outgoing emails to provide you personally relevant advertisements. That means Internet giants generally do encrypt your data, but they have the key so they can decrypt it any time they want. Encryption is mandatory in Modern Internet and web services should consider Encrypting and decrypting your data locally, so that no one can snoop on. Such cryptographic mechanism is called End-to-End Encryption , that means content of yo

PGP Inventor announced encrypted PrivatOS based #BLACKPHONE against NSA surveillance

PGP Inventor announced encrypted PrivatOS based #BLACKPHONE against NSA surveillance
January 16, 2014Swati Khandelwal
Mobile security may not be secure as you think. In September we have reported that the National Security Agency has the ability to access data on iOS, Android and even BlackBerry devices. Everyday a new revelation of NSA Surveillance Program makes Security and Privacy a major concern for all of us. Today we feel the need of highly secured Networks and Encrypted Devices to safeguard our privacy from Cyber Criminals as well as Government. Phil Zimmerman , Inventor of the email encryption tool PGP and Silent Circle's Co-founder (company specializes in mobile privacy and peer-to-peer encryption ) has announced ' BLACKPHONE ', a Smartphone that's been designed to enable secure, encrypted communications, private browsing and secure file-sharing. The company will launch BLACKPHONE in the ' Mobile World Congress ', Spain next month, offers ' PrivatOS ', an Android based operating system which will allow users to make and receive secure phone calls, exchange secure te
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.