industryterm:security protocol

  • Why Signal and not Threema ? : signal
    https://www.reddit.com/r/signal/comments/852qor/why_signal_and_not_threema

    Signal is open source, Threema is not, so that disqualifies Threema as a secure app in my opinion. You could as well continue using WhatsApp since it’s also end to end encrypted but closed source. Wire is another great alternative, and it’s German.

    Hacker erklären, welche Messenger-App am sichersten ist - Motherboard
    https://motherboard.vice.com/de/article/7xea4z/hacker-erklaren-welche-messenger-app-am-sichersten-ist


    C’est en allemand, mais c’est valable sans égard de la langue que vous utilisez pour votre communication.
    – La communication sécurisée en ligne doit obligatoirement passer par une app et un prootocole open source.
    – Il vous faut un système qui exclue ou rend très difficile la collection de métatdonnées par des tiers.
    – Votre système de communication « voice » et « chat » doit fonctionner avec des clients smartphome et desktop si vous voulez entretenir un fil de commmunication indépendamment du type d’appareil à votre disposition.

    Passons sur les exigences plus poussées, je ne vois que Signal qui satisfait tous ces besoins. Après on peut toujours utiliser plusieurs « messenger apps » afin de rester au courant des « updates » de tout le monde - à l’exception des apps de Facebook (Whatsapp), Wechat et Google parce que leur utilistion constitue une menace de votre vie privée simplement par l’installation sur votre portable.

    Roland Schilling (33) und Frieder Steinmetz (28) haben vor sechs Jahren begonnen, an der TU Hamburg unter anderem zu dieser Frage zu forschen. In einer Zeit, als noch niemand den Namen Edward Snowden auch nur gehört hatte, brüteten Schilling und Steinmetz bereits über die Vor- und Nachteile verschiedener Verschlüsselungsprotokolle und Messenger-Apps. So haben sie beispielsweise im vergangenen Jahr geschafft, die Verschlüsselung von Threema per Reverse Engineering nachzuvollziehen.

    Ihre Forschung ist mittlerweile zu einer Art Aktivismus und Hobby geworden, sagen die beiden: Sie wollen Menschen außerhalb von Fachkreisen vermitteln, wie elementar die Privatsphäre in einer Demokratie ist. Im Interview erklären sie, auf was man bei der Wahl des Messengers achten soll, welche App in punkto Sicherheit nicht unbedingt hält, was sie verspricht und warum Kreditinstitute sich über datenhungrige Messenger freuen.
    ...
    Roland Schilling: Bei mir ist es anders. Ich bringe die Leute einfach dazu, die Apps zu benutzen, die ich auch nutze. Das sind ausschließlich Threema, Signal und Wire. Wenn Leute mit mir reden wollen, dann klappt das eigentlich immer auf einer von den Dreien.
    ...
    Frieder: ... Signal und WhatsApp etwa setzen auf die gleiche technische Grundlage, das Signal-Protokoll, unterscheiden sich aber in Nuancen. Threema hat ein eigenes, nicht ganz schlechtes Protokoll, das aber beispielsweise keine ‘Perfect Forward Secrecy’ garantiert. Die Technik verhindert, dass jemand mir in der Zukunft meinen geheimen Schlüssel vom Handy klaut und damit meine gesamte verschlüsselte Kommunikation entschlüsseln kann, die ich über das Handy geführt habe. Signal und WhatsApp haben das.
    ...
    Roland: Ein gutes Messenger-Protokoll ist Open Source und ermöglicht damit Forschern und der Öffentlichkeit, eventuell bestehende Schwachstellen zu entdecken und das Protokoll zu verbessern. Leider gibt es auf dem Messenger-Markt auch viele Angebote, die ihre vorgebliche „Verschlüsselung“ diesem Prozess entziehen und geheim halten, oder das Protokoll zwar veröffentlichen, aber auf Kritik nicht eingehen.

    Secure WhatsApp Alternatives – Messenger Comparison
    https://www.boxcryptor.com/en/blog/post/encryption-comparison-secure-messaging-apps

    Threema and Telegram under Control of Russia’s Government ?
    https://medium.com/@vadiman/threema-and-telegram-under-control-of-russias-government-f81f8e28714b

    WhatsApp Exploited by NSA and US Secret Services?
    Go to the profile of Vadim An
    Vadim An
    Mar 7, 2018
    This is the end of era centralized communication!

    The 2017/2018 years are hot and saturated with cybersecurity challenges. Almost every week, a major media source reported hacking incidents or backdoor exploits in popular communication and messaging services. Some of which granted government agents unauthorized access to private and confidential information from within the communications industry.

    According to mass-media reports, one of the most popular Swiss secure messaging apps Threema moved under the control of the Russian government and has been listed in the official registry with a view to controlling user communications.

    This can be seen on regulatory public website https://97-fz.rkn.gov.ru/organizer-dissemination/viewregistry/#searchform

    This knockout news was commented by Crypviser — innovative German developer of the most secure instant communication platform based on Blockchain technologies, of the point of view, what does it mean for millions of Threema users?

    To answer this question, let’s understand the requirements for getting listed in this registry as an “information-dissemination organizers” according to a new Russian federal law, beginning from 01 June 2018.

    The law requires that all companies listed in internet regulator’s registry must store all users’ metadata (“information about the arrival, transmission, delivery, and processing of voice data, written text, images, sounds, or other kinds of action”), along with content of correspondence, voice call records and make it accessible to the Russian authorities. Websites can avoid the hassle of setting aside this information by granting Russian officials unfettered, constant access to their entire data stream.

    This is very bad news for Threema users. Threema officials have reported that they are not aware of any requirements to store, collect, or provide information. Maybe not yet though since there is still some time until 01 June 2018 when the new law kicks in and Threema will be obligated to provide direct access to sensitive user’s data.

    It’s possible that Threema is fully aware of this despite claiming otherwise. They may realize that the most popular messenger in Russia, Telegram, has been under pressure since refusing to officially cooperate with Russian secret services. If Russia takes steps to block Telegram as a result, then Threema would become the next best alternative service. That is assuming they’re willing to violating the security and privacy rights of its users by giving in to the new law’s requirements.

    Based on the reports of Financial Time magazine, the Telegram founder agreed to register their app with Russian censors by the end of June 2017. This, however; is not a big loss for Telegram community because of the lack of security in Telegram to date. During the last 2 years, its security protocol has been criticized many times and many security issues were found by researchers. Although there is no direct evidence showing that Telegram has already cooperated with the Russian government or other governments, these exploitable bugs and poor security models make Telegram users vulnerable victims to hackers and secret services of different countries.

    The same security benchmark issues have been explored in the biggest communication app WhatsApp. The security model of WhatsApp has been recognized as vulnerable by the most reputed cryptographic experts and researchers worldwide. According to the Guardian, a serious “backdoor” was found in encryption. More specifically, the key exchange algorithm.

    A common security practice in encrypted messaging services involves the generation and store of a private encryption key offline on the user’s device. And only the public key gets broadcasted to other users through the company’s server. In the case of WhatsApp, we have to trust the company that it will not alter public key exchange mechanism between the sender and receiver to perform man-in-the-middle attack for snooping of users encrypted private communication.

    Tobias Boelter, security researcher from the University of California, has reported that WhatsApp’s end-to-end encryption, based on Signal protocol, has been implemented in a way that if WhatsApp or any hacker intercepts your chats, by exploiting trust-based key exchange mechanism, you will never come to know if any change in encryption key has occurred in the background.

    The Guardian reports, “WhatsApp has implemented a backdoor into the Signal protocol, giving itself the ability to force the generation of new encryption keys for offline users and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption.”

    But on the other hand, the developer of Signal messaging app Open Whisper Systems says, ”There is no WhatsApp backdoor”, “it is how cryptography works,” and the MITM attack “is endemic to public key cryptography, not just WhatsApp.”

    It’s worth noting that none of the security experts or the company itself have denied the fact that, if required by the government, WhatsApp can intercept your chats. They do say; however, WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. With this statement, agrees on a cybersecurity expert and CTO of Crypviser, Vadim Andryan.

    “The Man-in-the-Middle attack threat is the biggest and historical challenge of asymmetric cryptography, which is the base of end-to-end encryption model. It’s hard to say, is this “backdoor” admitted intentionally or its became on front due lack of reliable public — key authentication model. But it definitely one of the huge disadvantages of current cryptographic models used for secure instant communication networks, and one of the main advantage of Crypviser platform.”

    Crypviser has introduced a new era of cryptography based on Blockchain technologies. It utilizes Blockchain to eliminate all threats of Man-in-the-Middle attack and solves the historical public key encryption issue by using decentralized encryption keys, exchanges, and authorization algorithms. The authentication model of Crypviser provides public key distribution and authorization in peer-to-peer or automated mode through Blockchain.

    After commercial launch of Crypviser unified app, ”messenger” for secure social communication will be available on the market in free and premium plans. The free plan in peer-to-peer authentication mode requires user interaction to check security codes for every new chat and call. The full-featured premium plan offers Blockchain based automated encryption model and powerful professional security features on all levels.

    You can see the comperisation table of Crypviser with centralized alternatives in the below table

    #internet #communication #sécurité #vie_privée

  • Cambridge Analytica demonstrates that Facebook needs to give researchers more access.
    https://slate.com/technology/2018/03/cambridge-analytica-demonstrates-that-facebook-needs-to-give-researchers-more

    In a 2013 paper, psychologist Michal Kosinski and collaborators from University of Cambridge in the United Kingdom warned that “the predictability of individual attributes from digital records of behavior may have considerable negative implications,” posing a threat to “well-being, freedom, or even life.” This warning followed their striking findings about how accurately the personal attributes of a person (from political leanings to intelligence to sexual orientation) could be inferred from nothing but their Facebook likes. Kosinski and his colleagues had access to this information through the voluntary participation of the Facebook users by offering them the results of a personality quiz, a method that can drive viral engagement. Of course, one person’s warning may be another’s inspiration.

    Kosinski’s original research really was an important scientific finding. The paper has been cited more than 1,000 times and the dataset has spawned many other studies. But the potential uses for it go far beyond academic research. In the past few days, the Guardian and the New York Times have published a number of new stories about Cambridge Analytica, the data mining and analytics firm best known for aiding President Trump’s campaign and the pro-Brexit campaign. This trove of reporting shows how Cambridge Analytica allegedly relied on the psychologist Aleksandr Kogan (who also goes by Aleksandr Spectre), a colleague of the original researchers at Cambridge, to gain access to profiles of around 50 million Facebook users.

    According to the Guardian’s and New York Times’ reporting, the data that was used to build these models came from a rough duplicate of that personality quiz method used legitimately for scientific research. Kogan, a lecturer in another department, reportedly approached Kosinski and their Cambridge colleagues in the Psychometric Centre to discuss commercializing the research. To his credit, Kosinski declined. However, Kogan built an app named thisismydigitallife for his own startup, Global Science Research, which collected the same sorts of data. GSR paid Mechanical Turk workers (contrary to the terms of Mechanical Turk) to take a psychological quiz and provide access to their Facebook profiles. In 2014, under the contract with the parent company of Cambridge Analytica, SCL, that data was harvested and used to build a model of 50 million U.S. Facebook users that included allegedly 5,000 data points on each user.

    So if the Facebook API allowed Kogan access to this data, what did he do wrong? This is where things get murky, but bear with us. It appears that Kogan deceitfully used his dual roles as a researcher and an entrepreneur to move data between an academic context and a commercial context, although the exact method of it is unclear. The Guardian claims that Kogan “had a licence from Facebook to collect profile data, but it was for research purposes only” and “[Kogan’s] permission from Facebook to harvest profiles in large quantities was specifically restricted to academic use.” Transferring the data this way would already be a violation of the terms of Facebook’s API policies that barred use of the data outside of Facebook for commercial uses, but we are unfamiliar with Facebook offering a “license” or special “permission” for researchers to collect greater amounts of data via the API.

    Regardless, it does appear that the amount of data thisismydigitallife was vacuuming up triggered a security review at Facebook and an automatic shutdown of its API access. Relying on Wylie’s narrative, the Guardian claims that Kogan “spoke to an engineer” and resumed access:

    “Facebook could see it was happening,” says Wylie. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic use. So they were like, ‘Fine’.”

    Kogan claims that he had a close working relationship with Facebook and that it was familiar with his research agendas and tools.

    A great deal of research confirms that most people don’t pay attention to permissions and privacy policies for the apps they download and the services they use—and the notices are often too vague or convoluted to clearly understand anyway. How many Facebook users give third parties access to their profile so that they can get a visualization of the words they use most, or to find out which Star Wars character they are? It isn’t surprising that Kosinski’s original recruitment method—a personality quiz that provided you with a psychological profile of yourself based on a common five-factor model—resulted in more than 50,000 volunteers providing access to their Facebook data. Indeed, Kosinski later co-authored a paper detailing how to use viral marketing techniques to recruit study participants, and he has written about the ethical dynamics of utilizing friend data.

    #Facebook #Cambridge_analytica #Recherche

  • The Catch 22 of Hacktivism - Issue 51: Limits
    http://nautil.us/issue/51/limits/the-catch-22-of-hacktivism

    In the run-up to NATO’s 2011 intervention in Libya, a Dutch radio hacker named Huub (@fmcnl) tweeted to the United States military that one of their F-16 fighter jets was mistakenly broadcasting its identity in the clear due to a misconfigured Mode S transponder. When a second fighter plane made the same mistake later that day, Huub joked that Moammar Gadhafi’s radar installations must be down for the U.S. Air Force to be so cavalier with its security protocols: “Hmmm, second fighter showing his ID, a USAF F-15E from 494FS Lakenheath UK, I presume Gadhafis radar equipment has destroyed :o).” Huub was not working alone; he was part of a network of amateurs who were tracking and narrating the chess match in which NATO planes and Libyan units jockeyed for position before the commencement of (...)

  • Is DNSSEC causing more problems than it solves? • The Register
    http://www.theregister.co.uk/2016/02/23/dnssec_more_problem_than_solution

    The complex security protocol for the domain name system – DNSSEC – has another black mark against it: it is being used as a way to carry out denial-of-service (DDoS) attacks.

    That’s according to a security bulletin [PDF] by Akamai that notes it has “observed and successfully mitigated a large number of DNS reflection and amplification DDoS attacks abusing a Domain Name System Security Extension (DNSSEC) configured domain.”