The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: email encryption

BitDam Study Exposes High Miss Rates of Leading Email Security Systems

BitDam Study Exposes High Miss Rates of Leading Email Security Systems
January 21, 2020The Hacker News
Imagine receiving an email from US VP Mike Pence's official email account asking for help because he has been stranded in the Philippines. Actually, you don't have to. This actually happened. Pence's email was hacked when he was still the governor of Indiana, and his account was used to attempt to defraud several people. How did this happen? Is it similar to how the DNC server was hacked? Email hacking is one of the most widespread cyber threats at present. It is estimated that around 8 out of 10 people who use the internet have received some form of phishing attack through their emails. Additionally, according to Avanan's 2019 Global Phish Report , 1 in 99 emails is a phishing attack. BitDam is aware of how critical emails are in modern communication. BitDam published a new study on the email threat detection weaknesses of the leading players in email security, and the findings command attention. The research team discovered how Microsoft's Office365

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

Google to Encrypt Android Cloud Backups With Your Lock Screen Password
October 15, 2018Swati Khandelwal
In an effort to secure users' data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can't read it. Google allows Android users to automatically backup their essential app data and settings to their Google account, allowing them to simply restore it when required, instead of re-configuring all the apps after formatting or switching to a new phone. However, until now your backup data was not encrypted and visible to Google, and now the company is going to change its storage procedure. Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way: Step 1: Your Android device will generate a random secret key (not known to Google), Step 2: The secret key will then get encrypted using your lockscreen PIN/pattern/passcode (not known to Google), Step 3: This passcode-protected

GnuPG Flaw in Encryption Tools Lets Attackers Spoof Anyone's Signature

GnuPG Flaw in Encryption Tools Lets Attackers Spoof Anyone's Signature
June 15, 2018Swati Khandelwal
A security researcher has discovered a critical vulnerability in some of the world's most popular and widely used email encryption clients that use OpenPGP standard and rely on GnuPG for encrypting and digitally signing messages. The disclosure comes almost a month after researchers revealed a series of flaws, dubbed eFail , in PGP and S/Mime encryption tools that could allow attackers to reveal encrypted emails in plaintext , affecting a variety of email programs, including Thunderbird, Apple Mail, and Outlook. Software developer Marcus Brinkmann discovered that an input sanitization vulnerability, which he dubbed SigSpoof , makes it possible for attackers to fake digital signatures with someone's public key or key ID, without requiring any of the private or public keys involved. The vulnerability, tracked as CVE-2018-12020 , affects popular email applications including GnuPG, Enigmail, GPGTools and python-gnupg, and have now been patched in their latest available so

Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails

Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails
May 14, 2018Swati Khandelwal
With a heavy heart, security researchers have early released the details of a set of vulnerabilities discovered in email clients for two widely used email encryption standards—PGP and S/MIME—after someone leaked their paper on the Internet, which was actually scheduled for tomorrow. PGP and S/MIME are popular end-to-end encryption standards used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication. Before explaining how the vulnerability works, it should be noted that the flaw doesn't reside in the email encryption standards itself; instead, it affects a few email clients/plugins that incorrectly implemented the technologies. Dubbed eFail by the researchers, the vulnerabilities, as described in our previous early-warning article , could allow potential attackers to decrypt the content of your end-to-end encrypted emails in plaintext, even for messages sent in the past. According to the paper released

Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext

Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext
May 14, 2018Swati Khandelwal
Note— the technical details of the vulnerabilities introduced in this article has now been released, so you should also read our latest article to learn how the eFail attack works and what users can do to prevent themselves. An important warning for people using widely used email encryption tools—PGP and S/MIME—for sensitive communication. A team of European security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools that could reveal your encrypted emails in plaintext. What's worse? The vulnerabilities also impact encrypted emails you sent in the past. PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication. S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed

Microsoft Office 365 Gets Built-in Ransomware Protection and Enhanced Security Features

Microsoft Office 365 Gets Built-in Ransomware Protection and Enhanced Security Features
April 06, 2018Mohit Kumar
Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars. Last year, we saw some major ransomware outbreaks, including WannaCry  and  NotPetya , which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide. From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it's no surprise that it has become a primary target for viruses, ransomware, and phishing scams. In fact, most strains of ransomware target Microsoft productivity apps such as Word, Excel and encrypt sensitive data to hold the company hostage until the ransom is paid. Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware a

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices

Serious Crypto-Flaw Lets Hackers Recover Private RSA Keys Used in Billions of Devices
October 17, 2017Swati Khandelwal
If you think KRACK attack for WiFi is the worst vulnerability of this year, then hold on… ...we have got another one for you which is even worse. Microsoft, Google, Lenovo, HP and Fujitsu are warning their customers of a potentially serious vulnerability in widely used RSA cryptographic library produced by German semiconductor manufacturer Infineon Technologies. It's noteworthy that this crypto-related vulnerability (CVE-2017-15361) doesn't affect elliptic-curve cryptography and the encryption standard itself, rather it resides in the implementation of RSA key pair generation by Infineon's Trusted Platform Module (TPM). Infineon's Trusted Platform Module (TPM) is a widely-used, dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and is used for secured crypto processes. This 5-year-old algorithmic vulnerability was discovered by security researchers at Masaryk University in the Czech Republic, who have relea

Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'

Cryptography Expert Says, 'PGP Encryption is Fundamentally Broken, Time for PGP to Die'
August 19, 2014Wang Wei
A Senior cryptography expert has claimed multiple issues with PGP email encryption - an open source end-to-end encryption  to secure email. Before continuing, I would like to clarify that covering this topic doesn't mean you should stop using PGP encryption , instead we are bringing to you what Security researcher has argued about its fundamental implications.  PGP or Pretty Good Privacy , a program written in 1991, uses symmetric public key cryptography and hashing that allow both Privacy and Security , as well as Authenticity . Privacy and Security ensure users to exchange messages securely and Authenticity proves the origin of those messages. But PGP is a complicated multi-step process, which requires users to keep track of the public keys of other users in order to communicate. Despite clumsiness of the PGP implementation, the popular Internet giants such as Google and Yahoo! have looked forward to integrate it into their popular email services. A respected research profes

End-to-End Encryption for Yahoo Mail Coming Next Year

End-to-End Encryption for Yahoo Mail Coming Next Year
August 08, 2014Swati Khandelwal
Today at Black Hat 2014 hacking conference, Yahoo! Chief Information Security Officer Alex Stamos announced that the company will start giving its consumers the option of end-to-end encryption in its Mail service by next year. Google showed off a PGP-based encryption plugin for Gmail back in June. The Purple-hued company will offer encryption via a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail, Alex Stamos told the audience at his talk titled Building Safe Systems at Scale - Lessons from Six Months at Yahoo. The PGP plugin will be native in mobile apps allowing Gmail and Yahoo mail to easily exchange encrypted email. Infact, the email providers themselves won't be able to decrypt messages exchanged between its users. Only senders and recipients will be able to read the messages. In short, it means that Yahoo email users can reportedly send safe and secure messages between Yahoo users and also Gmail adherents without fear, wh

PayPal Freezes $275,000 Campaign Funds of Secure-Email Startup 'ProtonMail'

PayPal Freezes $275,000 Campaign Funds of Secure-Email Startup 'ProtonMail'
July 01, 2014Swati Khandelwal
ProtonMail ,  an End-to-End Encrypted email service developed by MIT, Harvard and CERN researchers, who already received over $275,000 from a crowdfunding campaigns to their PayPal account, and was so much excited to launch its beta version, but just before that PayPal freezes their account without any warning. " At this time, it is not possible for ProtonMail to receive or send funds through PayPal, " ProtonMail co-founder Andy Yen announced this morning. " No attempt was made by PayPal to contact us before freezing our account, and no notice was given. " ProtonMail is a new super-secure email service that encrypts the data on the browser before it communicates with the server, this means only encrypted data is stored in the email service servers. GO HOME PAYPAL, YOU ARE DRUNK ProtonMail service is based in Switzerland, so it won't have to comply with American courts' demands to provide users data. But a representative from the American payment service, PayPal

ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service

ProtonMail: 'NSA-Proof' End-to-End Encrypted Email Service
May 26, 2014Swati Khandelwal
The Edward Snowden revelations triggered a large-scale movement worldwide towards deploying encryption across the Internet for secure services, which is something the government agencies like NSA and GCHQ have targeted repeatedly, as exemplified by abruptly shutting down Lavabit , a Texas-based Encrypted Email Service. In response, a group of young developers at the European Organization for Nuclear Research (CERN) has launched a new email service which offers end-to-end encryption and securing communications that could put an end to government snooping and will keep away our personal data from prying eyes. PROTONMAIL - AN END-to-END ENCRYPTED EMAIL This new encrypted email service, called ProtonMail is a super-secure email service created in collaboration with the scientists from Harvard, the Massachusetts Institute of Technology and the European research lab CERN. ProtonMail offers a user-friendly experience with full "end-to-end" encryption . It encrypts the data on the browser

Apple iOS 7 Updates Silently Remove Encryption for Email Attachments

Apple iOS 7 Updates Silently Remove Encryption for Email Attachments
May 01, 2014Mohit Kumar
There is no question that Mobile devices have become a staple in everyday living around the world. But have you ever asked yourself, How Secure are the Android, iPhone or any other Smart devices? It is really important for us to think about the Security and Privacy of our Data stored in Smartphones. In June 2010, Apple introduced ' Data protection ' feature in iOS 4.0 devices that offer hardware encryption for  all the data stored on the devices. " Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments , and third-party applications ." Apple claimed  in an old announcement. But unexpectedly, In last few updates Apple has silently removed the email attachment encryption from  data protection mechanisms. Noticed by Security Researcher -  Andreas Kurtz , claims that  since at least version 7.0.4 and including the current

Google Working On End-to-End Encryption for Gmail Service

Google Working On End-to-End Encryption for Gmail Service
April 22, 2014Swati Khandelwal
Constant password breaches and Snowden revelations about Government Surveillance have raised many questions that why don't cloud and email Services encrypt the data stored on their server?  Revelations forced the popular Internet Giants such as Google and Yahoo to contemplate on the privacy and security issues and in response companies started enhancing their encryption standard by enabling HTTPS by default and removed the option to turn it off. A few days back, Google admitted that their automated systems read your content, including incoming and outgoing emails to provide you personally relevant advertisements. That means Internet giants generally do encrypt your data, but they have the key so they can decrypt it any time they want. Encryption is mandatory in Modern Internet and web services should consider Encrypting and decrypting your data locally, so that no one can snoop on. Such cryptographic mechanism is called End-to-End Encryption , that means content of yo

Back off, NSA! Gmail now Encrypts every single Email

Back off, NSA! Gmail now Encrypts every single Email
March 21, 2014Wang Wei
2014 - The Year for Encryption! Good News for Security & Privacy seekers, Gmail is now more secure than ever before. Google has announced that it has enhanced encryption for its Gmail email service to protect users from government cyber-spying; by removing the option to turn off HTTPS . So from today, Gmail will always use an encrypted HTTPS connection by default when you check or send email. Furthermore, Google also assured that every single email message will now be encrypted as it moves internally between the company's data centers. " Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet. " Nicolas Lidzborski, Gmail Security Engineering Lead said in a blog post . It was previously disclosed by Edward Snowden that the National Security Agency (NSA) is intercepting email messages as they

Twitter enables StartTLS for Secure Emails to prevent Snooping

Twitter enables StartTLS for Secure Emails to prevent Snooping
March 14, 2014Wang Wei
TWITTER is taking users' privacy and security very seriously and in an effort to prevent Government snooping, the company has secured your Twitter emails with with TLS (Transport Layer Security). Twitter emails were previously using a plain text communication protocol, that now has been upgraded to an encrypted (TLS or SSL) connection using STARTTLS . In a blog post, Twitter announced : " Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping. It also ensures that emails you receive from Twitter haven't been read by other parties on the way to your inbox if your email provider supports TLS. " " These email security protocols are part of our commitment to continuous improvement in privacy protections and complement improvements like our securing of web traffic with forward secrecy and always-on HTT

What Is PGP Encryption And How To Encrypt Your Emails

What Is PGP Encryption And How To Encrypt Your Emails
January 08, 2014Anonymous
Now that we have enough details about how the NSA's Surveillance program, running for a long time against almost each country of this planet.  Hundreds of top-secret NSA documents provided by whistleblower Edward Snowden already exposed that Spying projects like PRISM and MUSCULAR are tapping directly into Google and Yahoo internal networks to access our Emails. NSA's tactics are even capable to defeat the SSL encryption, so unsecured email can easily be monitored and even altered as it travels through the Internet. One major point on which all of us are worrying is about the privacy of communication among each other and If you're looking for a little personal privacy in your communications you will need to encrypt your messages. To avoid privacy breaches; rather I should say to make it more difficult for the NSA or British GCHQ surveillance program to read our communication, we should use PGP encryption (Pretty Good Privacy). Why we should Encrypt ou
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.