How to Encrypt Your Texts, Calls, Emails, and Data - WIRED
How to Encrypt Your Texts, Calls, Emails, and Data - WIRED |
| How to Encrypt Your Texts, Calls, Emails, and Data - WIRED Posted: 09 Dec 2017 12:00 AM PST Cryptography was once the realm of academics, intelligence services, and a few cypherpunk hobbyists who sought to break the monopoly on that science of secrecy. Today, the cypherpunks have won: Encryption is everywhere. It's easier to use than ever before. And no amount of handwringing over its surveillance-flouting powers from an FBI director or attorney general has been able to change that.  Thanks in part to drop-dead simple, increasingly widespread encryption apps like Signal, anyone with a vested interest in keeping their communications away from prying eyes has no shortage of options. In fact, secure communications are not only attainable but perhaps even the new default, says Matthew Mitchell, the founder of security training organization Crypto Party Harlem and an adviser to the Open Technology Fund. "Security is here to stay. It's now expected that a product just encrypts without you having to do anything," Mitchell says. He describes every unencrypted internet-connected app or web tool as a window without curtains. "Now people are learning there are curtains." Still, effective encryption doesn't always just happen, especially once you move beyond basic messaging. Here's how to keep snoopers out of every facet of your digital life, whether it's video chat or your PC's hard drive. Text Messaging Signal, the smartphone and now-desktop encryption app, has become the darling of the privacy community, for good reason. It's as easy to use as the default messaging app on your phone; it's been open source from the start, and carefully audited and probed by security researchers; and it has received glowing recommendations from Edward Snowden, academic cryptographers, and beyond. Its cryptographic protocol also underpins the encryption offered by WhatsApp and Facebook's Secret Conversations. (Those two services don't, however, offer Signal's assurance that it doesn't log the metadata of who is talking to whom.) The most important note, for encrypted chat newbies: Remember that the person with whom you're messaging has to be on the same service. Signal to Signal provides rock-solid end-to-end encryption; Signal to iMessage, or even to WhatsApp, won't. There are plenty of other ways to communicate securely. Unlike Signal, messaging apps like Wire, Threema, and Wickr allow you to sign up without tying your account to a phone number, a significant feature for those seeking some level of anonymity in addition to security. And iMessage has also quietly offered end-to-end encryption for years, although without the assurances Signal offers about no logging of metadata, or that messages aren't being intercepted by spoofed contacts. (Signal is designed to warn you when the unique key of your contact changes, so that he or she can't easily be impersonated on the network.) On the desktop rather than the phone, a few emerging tools offer advantages over Signal too: Keybase, Semaphore, Wire, and Wickr Pro offer some approximation of an encrypted version of the collaboration software Slack, with more collaboration and team-focused features than Signal offers. And desktop instant messaging app Ricochet uses Tor's onion services to allow true peer-to-peer messaging that's anonymized, encrypted, and directly sent to the recipient, with no intermediary server that might log conversations, encrypted or not. Video and Voice Have you heard of Signal? Perhaps several times in the earlier paragraphs of this story? Well, it enables encrypted video and voice calls too. WhatsApp again uses Signal's encryption protocols for voice and video, but as with text messages, doesn't promise not to keep logs of conversation metadata. Apple's FaceTime integrates end-to-end encryption by default, but with the same caveats about metadata and, as with iMessage, without Signal's protections against spoofed contacts.  |
| Turn on MFA Before Crooks Do It For You — Krebs on Security - Krebs on Security Posted: 19 Jun 2020 12:19 PM PDT Hundreds of popular websites now offer some form of multi-factor authentication (MFA), which can help users safeguard access to accounts when their password is breached or stolen. But people who don't take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control. Here's the story of one such incident.
As a career chief privacy officer for different organizations, Dennis Dayman has tried to instill in his twin boys the importance of securing their online identities against account takeovers. Both are avid gamers on Microsoft's Xbox platform, and for years their father managed their accounts via his own Microsoft account. But when the boys turned 18, they converted their child accounts to adult, effectively taking themselves out from under their dad's control. On a recent morning, one of Dayman's sons found he could no longer access his Xbox account. The younger Dayman admitted to his dad that he'd reused his Xbox profile password elsewhere, and that he hadn't enabled multi-factor authentication for the account. When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account. When they went to turn on multi-factor authentication for his son's Xbox profile — which was tied to a non-Microsoft email address — the Xbox service said it would send a notification of the change to unauthorized Gmail account in his profile. Wary of alerting the hackers that they were wise to their intrusion, Dennis tried contacting Microsoft Xbox support, but found he couldn't open a support ticket from a non-Microsoft account. Using his other son's Outlook account, he filed a ticket about the incident with Microsoft. Dennis soon learned the unauthorized Gmail address added to his son's hacked Xbox account also had enabled MFA. Meaning, his son would be unable to reset the account's password without approval from the person in control of the Gmail account. Luckily for Dayman's son, he hadn't re-used the same password for the email address tied to his Xbox profile. Nevertheless, the thieves began abusing their access to purchase games on Xbox and third-party sites. "During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts]," Dayman the elder recalled. "I pulled the recovery codes for his Xbox account out of the safe, but because the hacker came in and turned on multi-factor, those codes were useless to us." Microsoft support sent Dayman and his son a list of 20 questions to answer about their account, such as the serial number on the Xbox console originally tied to the account when it was created. But despite answering all of those questions successfully, Microsoft refused to let them reset the password, Dayman said. "They said their policy was not to turn over accounts to someone who couldn't provide the second factor," he said. Dayman's case was eventually escalated to Tier 3 Support at Microsoft, which was able to walk him through creating a new Microsoft account, enabling MFA on it, and then migrating his son's Xbox profile over to the new account. Microsoft told KrebsOnSecurity that while users currently are not prompted to enable two-step verification upon sign-up, they always have the option to enable the feature. "Users are also prompted shortly after account creation to add additional security information if they have not yet done so, which enables the customer to receive security alerts and security promotions when they login to their account," the company said in a written statement. "When we notice an unusual sign-in attempt from a new location or device, we help protect the account by challenging the login and send the user a notification. If a customer's account is ever compromised, we will take the necessary steps to help them recover the account." Certainly, not enabling MFA when it is offered is far more of a risk for people in the habit of reusing or recycling passwords across multiple sites. But any service to which you entrust sensitive information can get hacked, and enabling multi-factor authentication is a good hedge against having leaked or stolen credentials used to plunder your account. What's more, a great many online sites and services that do support multi-factor authentication are completely automated and extremely difficult to reach for help when account takeovers occur. This is doubly so if the attackers also can modify and/or remove the original email address associated with the account. KrebsOnSecurity has long steered readers to the site twofactorauth.org, which details the various MFA options offered by popular websites. Currently, twofactorauth.org lists nearly 900 sites that have some form of MFA available. These range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true "2-factor authentication" or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years). Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Tags: Dennis Dayman, microsoft, multi-factor authentication, twofactorauth.org, xbox  |
| You are subscribed to email updates from "file encryption,encryption on cell phones,how to encrypt cell phone calls" - Google News. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
| Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States | |
Comments
Post a Comment