end-to-end encryption | Breaking Cybersecurity News | The Hacker News

European Police Chiefs said that the complementary partnership between law enforcement agencies and the technology industry is at risk due to end-to-end encryption (E2EE). They called on the industry and governments to take urgent action to ensure public safety across social media platforms. "Privacy measures currently being rolled out, such as end-to-end encryption, will stop tech companies from seeing any offending that occurs on their platforms," Europol  said . "It will also stop law enforcement's ability to obtain and use this evidence in investigations to prevent and prosecute the most serious crimes such as child sexual abuse, human trafficking, drug smuggling, homicides, economic crime, and terrorism offenses." The idea that E2EE protections could stymie law enforcement is often referred to as the  "going dark" problem , triggering concerns it could create  new obstacles  to gather evidence of nefarious activity. The development comes ag

A sophisticated phishing-as-a-service (PhaaS) platform called  Darcula  has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale. "Using iMessage and RCS rather than SMS to send text messages has the side effect of bypassing SMS firewalls, which is being used to great effect to target USPS along with postal services and other established organizations in 100+ countries," Netcraft  said . Darcula has been employed in several high-profile phishing attacks over the last year, wherein the smishing messages are sent to both Android and iOS users in the U.K., in addition to those that leverage package delivery lures by impersonating legitimate services like USPS. A Chinese-language PhaaS, Darcula is  advertised on Telegram  and offers support for  about 200 templates  impersonating legitimate brands that customers can avail for a monthly fee to set up phishin

The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

The U.S. Department of Justice (DoJ), along with 16 other state and district attorneys general, on Thursday  accused  Apple of illegally maintaining a monopoly over smartphones, thereby undermining, among other things, the security and privacy of users when messaging non-iPhone users. "Apple wraps itself in a cloak of privacy, security, and consumer preferences to justify its anticompetitive conduct," the landmark antitrust lawsuit  said . "Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple's financial and business interests." "Apple selectively compromises privacy and security interests when doing so is in Apple's own financial interest – such as degrading the security of text messages, offering governments and certain companies the chance to access more private and secure versions of app stores, or accepting billions of dollars each year for choosing Google as its default search engin

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union. "This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated by the European Commission (EC) as being required to independently provide interoperability to third-party messaging services," Meta's Dick Brouwer  said . DMA, which officially  became enforceable  on March 7, 2024, requires companies in gatekeeper positions – Apple, Alphabet, Meta, Amazon, Microsoft, and ByteDance – to meet certain obligations as part of the European Commission's efforts to clamp down on anti-competitive practices from tech players, level the playing field, as well as compel them to open some of their services to competitors. As part of its efforts to comply with the lan

Apple has announced a new post-quantum cryptographic protocol called  PQ3  that it said will be integrated into iMessage to secure the messaging platform against future attacks arising from the threat of a practical quantum computer. "With compromise-resilient encryption and extensive defenses against even highly sophisticated quantum attacks, PQ3 is the first messaging protocol to reach what we call Level 3 security — providing protocol protections that surpass those in all other widely deployed messaging apps," Apple  said . The iPhone maker described the protocol as "groundbreaking," "state-of-the-art," and as having the "strongest security properties" of any cryptographic convention deployed at scale. PQ3 is the latest security guardrail erected by Apple in iMessage after it switched from  RSA  to Elliptic Curve cryptography ( ECC ), and by protecting encryption keys on devices with the Secure Enclave in 2019. While the current algorith

End-to-end encrypted (E2EE) messaging app Signal said it's piloting a new feature that allows users to create unique usernames (not to be confused with profile names) and keep the phone numbers away from prying eyes. "If you use Signal, your phone number will no longer be visible to everyone you chat with by default," Signal's Randall Sarafa  said . "People who have your number saved in their phone's contacts will still see your phone number since they already know it." Setting a new username requires account holders to provide two or more numbers at the end of it (e.g., axolotl.99) in an effort to keep them "egalitarian and minimize spoofing." Usernames can be changed any number of times, but it's worth noting that they are not logins or handles. Put differently, a username is an anonymous way to initiate conversations on the chat platform without having to share phone numbers. The feature is opt-in, although Signal said it's also taking steps to hide by default users' phone numb

Meta has officially begun to  roll out  support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default in what it called the "most significant milestone yet." "This isn't a routine security update: we rebuilt the app from the ground up, in close consultation with privacy and safety experts," Loredana Crisan, vice president of Messenger at Meta,  said  in a post shared on X (formerly Twitter). CEO Mark Zuckerberg, who announced a "privacy-focused vision for social networking" back in 2019,  said  the update comes "after years of work" redesigning the platform. It's worth noting that E2EE for group messaging in Messenger is still in the testing phase. Encrypted chats were first introduced as an opt-in feature called "secret conversations" in Messenger in 2016. Meta's Instagram also has  support for E2EE  for messages and calls but it's "only available in some

Meta-owned WhatsApp is officially rolling out a  new privacy feature  in its messaging service called "Protect IP Address in Calls" that masks users' IP addresses to other parties by relaying the calls through its servers. "Calls are end-to-end encrypted, so even if a call is relayed through WhatsApp servers, WhatsApp cannot listen to your calls," the company said in a statement shared with The Hacker News. The core idea is to make it harder for bad actors in the call to infer a user's location by securely relaying the connection through WhatsApp servers. However, a tradeoff to enabling the privacy option is a slight dip in call quality. Viewed in that light, it's akin to Apple's  iCloud Private Relay , which adds an anonymity layer by  routing users' Safari browsing sessions  through two secure internet relays. It's worth noting that the "Protect IP Address in Calls" feature has been under development since at least late Augu

Meta has once again reaffirmed its plans to roll out support for end-to-end encryption ( E2EE ) by default for one-to-one friends and family chats on Messenger by the end of the year. As part of that effort, the social media giant said it's upgrading "millions more people's chats" effective August 22, 2023, exactly seven months after it  started gradually expanding the feature  to more users in January 2023. The changes are part of CEO Mark Zuckerberg's "privacy-focused vision for social networking" that was announced in 2019, although it has since encountered significant technical challenges, causing it to  delay its plans  by a year. "Like many messaging services, Messenger and Instagram DMs were originally designed to function via servers," Timothy Buck, product manager for Messenger,  said . "Meta's servers act as the gateway between the message sender and receiver, what we call the clients." However, the addition of an

Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet. The search giant said it's introducing a second user setting to turn off support, at the model level, for  null-ciphered cellular connections . "The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle  said . "Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)." 2G networks, in particular, employ weak encryption and lack mutual authentication,  rendering  them  susceptible  to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower. The  threat posed by rogue cellular base stations  means th

Google has announced that it intends to add support for Message Layer Security ( MLS ) to its Messages service for Android and open source an implementation of the specification. "Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform," Giles Hogben, privacy engineering director at Google,  said . "This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms." The development comes as the Internet Engineering Task Force (IETF)  released  the core specification of the Messaging Layer Security (MLS) protocol as a Request for Comments ( RFC 9420 ). Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing f

Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies. The development, first  reported  by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming legislative changes to the  Investigatory Powers Act  ( IPA ) 2016 in a manner that would effectively render encryption protections ineffective. Specifically, the  Online Safety Bill  requires companies to install technology to scan for child sex exploitation and abuse (CSEA) material and terrorism content in encrypted messaging apps and other services. It also mandates that messaging services clear security features with the Home Office before releasing them and take immediate action to disable them if required without informing the public. While the fact does not explicitly call out for the r

Twitter is officially beginning to roll out support for  encrypted direct messages (DMs)  on the platform, more than five months after its chief executive Elon Musk  confirmed  plans for the feature in November 2022. The "Phase 1" of the initiative will appear as separate conversations alongside existing direct messages on users' inboxes. Encrypted chats carry a lock icon badge to visually differentiate them. That said, the opt-in feature is currently limited to verified users or affiliates to a verified organization. It's also essential both the sender and recipient are on the latest versions of the Twitter apps across Android, iOS, and desktop web. Another criteria to send and receive encrypted messages is that the recipient must follow the sender, has sent a message to the sender in the past, or has accepted a direct message request from the sender at some point. While Twitter did not disclose the exact method it uses to secure the conversations, the company s

A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys. The seven attacks span three different threat models,  according  to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022. The weaknesses have since been addressed as part of  updates  released by the company on November 29, 2022. Threema is an encrypted messaging app that's used by more than 11 million users as of October 2022. "Security and privacy are deeply ingrained in Threema's DNA," the company  claims  on its website. Officially used by the Swiss Government and the Swiss Army, it's also advertised as a secure alternative alongside other services such as Signal, Meta-owned WhatsApp, and Telegram. While Threema has been sub

Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform. The development comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value the protection of their personal data. To that end, Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply to sign up for the beta until January 20, 2023. It's not available to personal Google Accounts. "Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers," the company  said  in a post. "Customers retain control over encryption keys and the identity service to access those keys." It is important to know that the latest safeguards offered by Gmail is different from end-to-end encryption.

Apple on Wednesday  announced  a raft of security measures, including an Advanced Data Protection setting that enables end-to-end encrypted (E2EE) data backups in its iCloud service. The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts, and Wallet Passes. The iPhone maker said the only major iCloud data categories that are still not protected by E2EE are Mail, Contacts, and Calendar because of the "need to interoperate with the global email, contacts, and calendar systems" that use legacy technologies. Advanced Data Protection's E2EE protections for iCloud also mean that users' personal data can only be decrypted on their trusted devices, which retain the encryption keys. "If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help

Twitter chief executive Elon Musk confirmed plans for end-to-end encryption ( E2EE ) for direct messages on the platform. The  feature  is part of Musk's vision for Twitter 2.0, which is expected to be what's called an "everything app." Other functionalities include longform tweets and payments, according to a slide deck shared by Musk over the weekend. The company's plans for encrypted messages first came to light in mid-November 2022, when mobile researcher Jane Manchun Wong  spotted  source code changes in Twitter's Android app referencing conversation keys for E2EE chats. It's worth noting that various other messaging platforms, such as Signal, Threema, WhatsApp, iMessage, Wire, Tox, and Keybase, already support encryption for messages. Google, which previously turned on E2EE for  one-to-one chats  in its RCS-based Messages app for Android, is currently piloting the same option for group chats. Facebook, likewise, began  enabling E2EE  on Messeng

Popular end-to-end encrypted messaging service Signal on Monday disclosed the cyberattack aimed at Twilio earlier this month may have exposed the phone numbers of roughly 1,900 users. "For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal," the company  said . "All users can rest assured that their message history, contact lists, profile information, whom they'd blocked, and other personal data remain private and secure and were not affected." Signal, which uses Twilio to send SMS verification codes to users registering with the app, said it's in the process of alerting the affected users directly and prompting them to re-register the service on their devices. The development comes less than a week after Twilio  revealed  that data associated with about 125 customer accounts were accessed by malicious actors through a phishing attack that duped the comp