Page 3«..2345..1020..»

Warning Signs About Another Giant Bitcoin Exchange

In the latest blow, on Tuesday, an alternative virtual currency that is owned and operated by the same people as Bitfinex, known as Tether, announced that it had been hacked and lost around $30 million worth of digital tokens.

None of that has been enough to stop customers from pumping billions of dollars worth of virtual currency trades through Bitfinex in recent weeks on some days, the exchange claimed to be doing more trades, by dollar value, than some stock exchanges in the United States.

Even many people who believe in virtual currencies worry that the mixture of loose controls and booming trading at the worlds largest exchange is likely to cause trouble for all the investors piling into virtual currencies, even those who dont go near Bitfinex.

Im worried about the systemic risk that this centralized company poses, and Im worried that if they go down, they will take down the space with them, said Emin Gn Sirer, an associate professor of computer science at Cornell University, who has a track record of successfully predicting problems in the growing virtual currency industry.

The chief executive of Bitfinex and Tether, Jan Ludovicus van der Velde, said in an email on Tuesday that the financial position of the company has never been stronger.

Concerns over virtual currency exchanges are nothing new. The first and largest Bitcoin exchange, Mt. Gox, collapsed in 2014 after losing $500 million of customer money to hackers.

This year, law enforcement took down another large Bitcoin exchange, BTC-E, which was accused of being a way station for many of the Bitcoin flowing through online black markets and ransomware attacks.

Regulators in the United States and a few other countries have tried to tame the business, and the largest exchanges in the United States and Japan are now under official oversight.

Those regulated exchanges, though, are dwarfed by unregulated ones like Bitfinex and several that have popped up in South Korea, where regulators have been slow to act.

The liquid nature of the Bitcoin markets, flowing around national borders and laws, is a product of the virtual currencys unusual structure. Bitcoin is stored and moved through a decentralized network of computers that are not under the control of any single company or government.

This structure means that the virtual currency continues to be an easy target for people who want to manipulate its price or use it to launder money.

Unregulated, unregistered exchanges are a very big concern for the industry and the community broadly, said Kathryn Haun, a former federal prosecutor who is on the board of the American virtual currency company Coinbase.

The most frequent face of Bitfinex is its chief strategy officer, Phil Potter. Mr. Potter worked for Morgan Stanley in New York in the 1990s but lost his job after bragging at length in The New York Times about his $3,500 Rolex, his opulent lifestyle and his aggressive tactics for making money.

Mr. Potter, 45, runs Bitfinex alongside Mr. Van der Velde, a Dutch-speaking man living in Hong Kong, and Giancarlo Devasini, an Italian man who lives on the French Riviera, according to company filings in Hong Kong.

The company lost 1,500 Bitcoin, worth around $400,000, to a hacker in 2015. But the most damaging incident happened in August 2016 when a thief got almost 120,000 Bitcoin, worth around $75 million at the time.

The company spread out the losses to all customers even those who were not holding Bitcoin at the time of the hacking by forcing customers to take a 36 percent haircut or loss on any money at the exchange.

The lack of detail that Bitfinex provided about the hacking drove away some large customers like Arthur Hayes, the founder of Bitmex, a Hong Kong-based virtual currency exchange.

There are so many questions about them, Mr. Hayes said. All of this could be easily rectified by just showing all the figures.

Mr. van der Velde said the company had been as public and transparent as possible about the security incident in August 2016 given the ongoing criminal investigations.

Banks have also been put off by Bitfinexs operations. Wells Fargo said this year that it would no longer move money from Bitfinex accounts. Shortly after, Bitfinex said its main banks in Taiwan were shutting it off. Since then, it has moved between a series of banks in other countries, without telling customers where the exchanges money is stored.

But nothing has drawn more criticism than the operation of Tether, a virtual currency that is supposed to be tied or tethered to the value of a dollar.

Customers can buy Tether coins on Bitfinex and then transfer them to other virtual currency exchanges, providing a way to move dollars between countries without going through banks. Tether has also become a very popular way to buy Bitcoin. In recent weeks, a few hundred millions dollars worth of Tether has changed hands on a daily basis across several exchanges, according to data on CoinMarketCap.com.

Tether and Bitfinex have insisted that the two operations are separate. But leaked documents known as the Paradise Papers, which were made public this month, show that Appleby, an offshore law firm, helped Mr. Potter and Mr. Devasini, the Bitfinex operators, set up Tether in the British Virgin Islands in late 2014.

One persistent online critic, going by the screen name Bitfinexed, has written several very detailed essays on Medium arguing that Bitfinex appears to be creating Tether coins out of thin air and then using them to buy Bitcoin and push the price up.

Tether and Bitfinex have countered this criticism in statements on the companies websites and promised that every Tether is backed up by a dollar sitting in a bank account. In September, the companies provided an accounting document intended to prove that Tether is financed with real money.

Lewis Cohen, a lawyer at the law firm Hogan Lovells who advises many virtual currency projects, said the document, because of the careful way it was phrased, did not prove that the Tether coins are backed by dollars.

Even if they are, he said, Tether and Bitfinex appear to be violating laws in the United States and Europe that govern investments like Tether, which has qualities very similar to a money market mutual fund.

There are a long list of reasons that you dont want to deal with them, Mr. Cohen said of Tether.

On Tuesday, Tether announced that an external attacker had taken $30 million worth of Tether from the companys online wallets. The company said it was working to recover the coins.

Read more from the original source:
Warning Signs About Another Giant Bitcoin Exchange

Read More..

BitLocker Drive Encryption Overview – technet.microsoft.com

BitLocker Drive Encryption is a data protection feature available Windows Server2008R2 and in some editions of Windows7. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer’s hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.

BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.

On computers that do not have a TPM version1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.

In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

BitLocker can use a TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted drive accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.

BitLocker helps ensure the integrity of the startup process by taking the following actions:

To use BitLocker, a computer must satisfy certain requirements:

BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on by using the BitLocker setup wizard, which can be accessed from either the Control Panel or by right-clicking the drive in Windows Explorer.

At any time after installation and initial operating system setup, the system administrator can use the BitLocker setup wizard to initialize BitLocker. There are two steps in the initialization process:

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive.

For detailed information about configuring and deploying BitLocker, see the Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=140225).

BitLocker can use an enterprise’s existing Active Directory Domain Services (ADDS) infrastructure to remotely store recovery keys. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer.

For more information about writing scripts for BitLocker, see Win32_EncryptableVolume (http://go.microsoft.com/fwlink/?LinkId=85983).

Many personal computers today are reused by people other than the computer’s initial owner or user. In enterprise scenarios, computers may be redeployed to other departments, or they might be recycled as part of a standard computer hardware refresh cycle.

On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often make use of multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.

BitLocker can help create a simple, cost-effective decommissioning process. By leaving data encrypted by BitLocker and then removing the keys, an enterprise can permanently reduce the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys because this would require cracking 128-bit or 256-bit AES encryption.

BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.

The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers.

For more information about BitLocker security considerations, see Data Encryption Toolkit for Mobile PCs (http://go.microsoft.com/fwlink/?LinkId=85982).

For servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can be used to encrypt the operating system drive and additional data drives on the same server.

By default, BitLocker is not installed with Windows Server2008R2. Add BitLocker from the Windows Server2008R2 Server Manager page. You must restart after installing BitLocker on a server. Using WMI, you can enable BitLocker remotely.

BitLocker is supported on Extensible Firmware Interface (EFI) servers that use a 64-bit processor architecture.

After the drive has been encrypted and protected with BitLocker, local and domain administrators can use the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel to change the password to unlock the drive, remove the password from the drive, add a smart card to unlock the drive, save or print the recovery key again, automatically unlock the drive, duplicate keys, and reset the PIN.

An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

These scenarios are collectively referred to as the computer upgrade scenario. BitLocker can be enabled or disabled through the BitLocker Drive Encryption item in Control Panel.

The following steps are necessary to upgrade a BitLocker-protected computer:

Forcing BitLocker into disabled mode will keep the drive encrypted, but the drive master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker but ensures that subsequent computer startups succeed without further user input. When BitLocker is enabled again, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the drive master key is keyed and encrypted again.

Moving the encrypted drive (that is, the physical disk) to another BitLocker-protected computer does not require any additional steps because the key protecting the drive master key is stored unencrypted on the disk.

For detailed information about disabling BitLocker, see Windows BitLocker Drive Encryption Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=140225).

A number of scenarios can trigger a recovery process, for example:

An administrator can also trigger recovery as an access control mechanism (for example, during computer redeployment). An administrator may decide to lock an encrypted drive and require that users obtain BitLocker recovery information to unlock the drive.

Using Group Policy, an IT administrator can choose which recovery methods to require, deny, or make optional for users who enable BitLocker. The recovery password can be stored in ADDS, and the administrator can make this option mandatory, prohibited, or optional for each user of the computer. Additionally, the recovery data can be stored on a USB flash drive.

The recovery password is a 48-digit, randomly generated number that can be created during BitLocker setup. If the computer enters recovery mode, the user will be prompted to type this password by using the function keys (F0 through F9). The recovery password can be managed and copied after BitLocker is enabled. Using the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel, the recovery password can be printed or saved to a file for future use.

A domain administrator can configure Group Policy to generate recovery passwords automatically and back them up to ADDS as soon as BitLocker is enabled. The domain administrator can also choose to prevent BitLocker from encrypting a drive unless the computer is connected to the network and ADDS backup of the recovery password is successful.

The recovery key can be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.

Read the original here:
BitLocker Drive Encryption Overview – technet.microsoft.com

Read More..

The Encrypting File System – technet.microsoft.com

By Roberta Bragg

An Overview of the Encrypting File SystemWhat EFS IsBasic How-tosPlanning for and Recovering Encrypted Files: Recovery PolicyHow EFS WorksKey Differences Between EFS on Windows 2000, Windows XP, and Windows Server 2003Misuse and Abuse of EFS and How to Avoid Data Loss or ExposureRemote Storage of Encrypted Files Using SMB File Shares and WebDAVBest Practices for SOHO and Small BusinessesEnterprise How-tosTroubleshootingRadical EFS: Using EFS to Encrypt Databases and Using EFS with Other Microsoft ProductsDisaster RecoveryOverviews and Larger ArticlesSummary

The Encrypting File System (EFS) is a component of the NTFS file system on Windows 2000, Windows XP Professional, and Windows Server 2003. (Windows XP Home doesn’t include EFS.) EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Any individual or program that doesn’t possess the appropriate cryptographic key cannot read the encrypted data. Encrypted files can be protected even from those who gain physical possession of the computer that the files reside on. Even persons who are authorized to access the computer and its file system cannot view the data. While other defensive strategies should be used, and encryption isn’t the correct countermeasure for every threat, encryption is a powerful addition to any defensive strategy. EFS is the built-in file encryption tool for Windows file systems.

However, every defensive weapon, if used incorrectly, carries the potential for harm. EFS must be understood, implemented appropriately, and managed effectively to ensure that your experience, the experience of those to whom you provide support, and the data you wish to protect aren’t harmed. This document will

Provide an overview and pointers to resources on EFS.

Point to implementation strategies and best practices.

Name the dangers and counsel mitigation and prevention from harm.

Many online and published resources on EFS exist. The major sources of information are the Microsoft resource kits, product documentation, white papers, and Knowledge Base articles. This paper provides a brief overview of major EFS issues. Wherever possible, it doesn’t rework existing documentation; rather, it provides links to the best resources. In short, it maps the list of desired knowledge and instruction to the actual documents where they can be found. In addition, the paper catalogs the key elements of large documents so that you’ll be able to find the information you need without having to work your way through hundreds of pages of information each time you have a new question.

The paper discusses the following key EFS knowledge areas:

What EFS is

Basic how-tos, such as how to encrypt and decrypt files, recover encrypted files, archive keys, manage certificates, and back up files, and how to disable EFS

How EFS works and EFS architecture and algorithms

Key differences between EFS on Windows 2000, Windows XP, and Windows Server 2003

Misuse and abuse of EFS and how to avoid data loss or exposure

Remote storage of encrypted files using SMB file shares and WebDAV

Best practices for SOHO and small businesses

Enterprise how-tos: how to implement data recovery strategies with PKI and how to implement key recovery with PKI

Troubleshooting

Radical EFS: using EFS to encrypt databases and using EFS with other Microsoft products

Disaster recovery

Where to download EFS-specific tools

Using EFS requires only a few simple bits of knowledge. However, using EFS without knowledge of best practices and without understanding recovery processes can give you a mistaken sense of security, as your files might not be encrypted when you think they are, or you might enable unauthorized access by having a weak password or having made the password available to others. It might also result in a loss of data, if proper recovery steps aren’t taken. Therefore, before using EFS you should read the information links in the section “Misuse and Abuse of EFS and How to Avoid Data Loss or Exposure.” The knowledge in this section warns you where lack of proper recovery operations or misunderstanding can cause your data to be unnecessarily exposed. To implement a secure and recoverable EFS policy, you should have a more comprehensive understanding of EFS.

You can use EFS to encrypt files stored in the file system of Windows 2000, Windows XP Professional, and Windows Server 2003 computers. EFS isn’t designed to protect data while it’s transferred from one system to another. EFS uses symmetric (one key is used to encrypt the files) and asymmetric (two keys are used to protect the encryption key) cryptography. An excellent primer on cryptography is available in the Windows 2000 Resource Kit as is an introduction to Certificate Services. Understanding both of these topics will assist you in understanding EFS.

A solid overview of EFS and a comprehensive collection of information on EFS in Windows 2000 are published in the Distributed Systems Guide of the Windows 2000 Server Resource Kit. This information, most of which resides in Chapter 15 of that guide, is published online at http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspx. (On this site’s page, use the TOC to go to the Distributed Systems Guide, Distributed Security, Encrypting File System.)

There are differences between EFS in Windows 2000, Windows XP Professional, and Windows Server 2003. The Windows XP Professional Resource Kit explains the differences between Windows 2000 and Windows XP Professionals implementation of EFS, and the document “Encrypting File System in Windows XP and Windows Server 2003” (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx) details Windows XP and Windows Server 2003 modifications. The section below, “Key Differences between EFS on Windows 2000, Windows XP, and Windows Server 2003,” summarizes these differences.

The following are important basic facts about EFS:

EFS encryption doesn’t occur at the application level but rather at the file-system level; therefore, the encryption and decryption process is transparent to the user and to the application. If a folder is marked for encryption, every file created in or moved to the folder will be encrypted. Applications don’t have to understand EFS or manage EFS-encrypted files any differently than unencrypted files. If a user attempts to open a file and possesses the key to do so, the file opens without additional effort on the user’s part. If the user doesn’t possess the key, they receive an “Access denied” error message.

File encryption uses a symmetric key, which is then itself encrypted with the public key of a public key encryption pair. The related private key must be available in order for the file to be decrypted. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, then the file may be recoverable. If key archival has been implemented, then the key may be recovered, and the file decrypted. If not, the file may be lost. EFS is an excellent file encryption systemthere is no “back door.”

File encryption keys can be archived (e.g. exported to a floppy disk) and kept in a safe place to ensure recovery should keys become damaged.

EFS keys are protected by the user’s password. Any user who can obtain the user ID and password can log on as that user and decrypt that user’s files. Therefore, a strong password policy as well as strong user education must be a component of each organization’s security practices to ensure the protection of EFS-encrypted files.

EFS-encrypted files don’t remain encrypted during transport if saved to or opened from a folder on a remote server. The file is decrypted, traverses the network in plaintext, and, if saved to a folder on the local drive that’s marked for encryption, is encrypted locally. EFS-encrypted files can remain encrypted while traversing the network if they’re being saved to a Web folder using WebDAV. This method of remote storage isn’t available for Windows 2000.

EFS uses FIPS 140-evaluated Microsoft Cryptographic Service Providers (CSPcomponents which contain encryption algorithms for Microsoft products).

EFS functionality is straightforward, and you can find step-by-step instructions in many documents online. Links to specific articles for each possible EFS function, as well as some documents which summarize multiple functionality, follow. If the document is a Knowledge Base article, the Knowledge Base number appears in parentheses after the article title.

Encrypting and Decrypting

The process of encrypting and decrypting files is very straightforward, but its important to decide what to encrypt and to note differences in EFS based on the operating system.

Sharing Encrypted Files

The GUI for sharing encrypted files is available only in Windows XP and Windows Server 2003.

A recovery policy can be an organization’s security policy instituted to plan for proper recovery of encrypted files. It’s also the policy enforced by Local Security Policy Public Key Policy or Group Policy Public Key Policy. In the latter, the recovery policy specifies how encrypted files may be recovered should the user private key be damaged or lost and the encrypted file unharmed. Recovery certificate(s) are specified in the policy. Recovery can be either data recovery (Windows 2000, Windows XP Professional, and Windows Server 2003) or key recovery (Windows Server 2003 with Certificate Services). Windows 2000 EFS requires the presence of a recovery agent (no recovery agent, no file encryption), but Windows XP and Windows Server 2003 don’t. By default, Windows 2000 and Windows Server 2003 have default recovery agents assigned. Windows XP Professional doesn’t.

The data recovery process is simple. The user account bound to the recovery agent certificate is used to decrypt the file. The file should then be delivered in a secure manner to the file owner, who may then encrypt the file. Recovery via automatically archived keys is available only with Windows Server 2003 Certificate Services. Additional configuration beyond the installation of Certificate Services is required. In either case, it’s most important that a written policy and procedures for recovery are in place. These procedures, if well written and if followed, can ensure that recovery keys and agents are available for use and that recovery is securely carried out. Keep in mind that there are two definitions for “recovery policy.” The first definition refers to a written recovery policy and procedures that describe the who, what, where, and when of recovery, as well as what steps should be taken to ensure recovery components are available. The second definition, which is often referred to in the documents below, is the Public Key Policy that’s part of the Local Security Policy on stand-alone systems, or Group Policy in a domain. It can specify which certificates are used for recovery, as well as other aspects of Public Key Policies in the domain. You can find more information in the following documents:

Disabling or Preventing Encryption

You may decide that you don’t wish users to have the ability to encrypt files. By default, they do. You may decide that specific folders shouldn’t contain encrypted files. You may also decide to disable EFS until you can implement a sound EFS policy and train users in proper procedures. There are different ways of disabling EFS depending on the operating system and the desired effect:

System folders cannot be marked for encryption. EFS keys aren’t available during the boot process; thus, if system files were encrypted, the system file couldn’t boot. To prevent other folders being marked for encryption, you can mark them as system folders. If this isn’t possible, then a method to prevent encryption within a folder is defined in “Encrypting File System.”

NT 4.0 doesn’t have the ability to use EFS. If you need to disable EFS for Windows 2000 computers joined to a Windows NT 4.0 domain, see “Need to Turn Off EFS on a Windows 2000-Based Computer in Windows NT 4.0-Based Domain” (288579). The registry key mentioned can also be used to disable EFS in Window XP Professional and Windows Server 2003.

Disabling EFS for Windows XP Professional can also be done by clearing the checkbox for the property page of the Local Security Policy Public Key Policy. EFS can be disabled in XP and Windows Server 2003 computers joined in a Windows Server 2003 domain by clearing the checkbox for the property pages of the domain or organizational unit (OU) Group Policy Public Key Policy.

“HOW TO: Disable/Enable EFS on a Stand-Alone Windows 2000-Based Computer” (243035) details how to save the recovery agent’s certificate and keys when disabling EFS so that you can enable EFS at a future date.

“HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain” (222022) provides the best instruction set and clearly defines the difference between deleted domain policy (an OU-based policy or Local Security Policy can exist) versus Initialize Empty Policy (no Windows 2000 EFS encryption is possible throughout the domain).

Special Operations

Let enough people look at anything, and you’ll find there are questions that are just not answered by existing documentation or options. A number of these issues, third-party considerations, and post introduction issues can be resolved by reviewing the following articles.

Specifications for the use of a third-party Certification Authority (CA) can be found at “Third-Party Certification Authority Support for Encrypting File System” (273856). If you wish to use third-party CA certificates for EFS, you should also investigate certificate revocation processing. Windows 2000 EFS certificates aren’t checked for revocation. Windows XP and Windows Server 2003 EFS certificates are checked for revocation in some cases, and third-party certificates may be rejected. Information about certificate revocation handling in EFS can be found in the white paper “Encrypting File System in Windows XP and Windows Server 2003”.

When an existing plaintext file is marked for encryption, it’s first copied to a temporary file. When the process is complete, the temporary file is marked for deletion, which means portions of the original file may remain on the disk and could potentially be accessible via a disk editor. These bits of data, referred to as data shreds or remanence, may be permanently removed by using a revised version of the cipher.exe tool. The tool is part of Service Pack 3 (SP3) for Windows 2000 and is included in Windows Server 2003. Instructions for using the tool, along with the location of a downloadable version, can be found in “HOW TO: Use Cipher.exe to Overwrite Deleted Data in Windows” (315672) and in “Cipher.exe Security Tool for the Encrypting File System” (298009).

How to make encrypted files display in green in Windows Explorer is explained in “HOW TO: Identify Encrypted Files in Windows XP” (320166).

“How to Enable the Encryption Command on the Shortcut Menu” (241121) provides a registry key to modify for this purpose.

You may wish to protect printer spool files or hard copies of encrypted files while they’re printing. Encryption is transparent to the printing process. If you have the right (possess the key) to decrypt the file and a method exists for printing files, the file will print. However, two issues should concern you. First, if the file is sensitive enough to encrypt, how will you protect the printed copy? Second, the spool file resides in the system32SpoolPrinters folder. How can you protect it while its there? You could encrypt that folder, but that would slow printing enormously. The Windows 2000 Resource Kit proposes a separate printer for the printing of these files and how to best secure that printer in the Distributed Systems, Distributed Security, Encrypting Files System, Printing EFS Files section.

To understand EFS, and therefore anticipate problems, envision potential attacks, and troubleshoot and protect EFS-encrypted files, you should understand the architecture of EFS and the basic encryption, decryption, and recovery algorithms. Much of this information is in the Windows 2000 Resource Kit Distributed Systems Guide, the Windows XP Professional Resource Kit, and the white paper, “Encrypting File System in Windows XP and Windows Server 2003.” Many of the algorithms are also described in product documentation. The examples that follow are from the Windows XP Professional Resource Kit:

A straightforward discussion of the components of EFS, including the EFS service, EFS driver, and the File System Run Time Library, is found in “Components of EFS,” a subsection of Chapter 17, “Encrypting File System” in the Windows XP Professional Resource Kit.

A description of the encryption, decryption, and recovery algorithms EFS uses is in the Resource Kit section “How Files Are Encrypted.” This section includes a discussion of the file encryption keys (FEKs) and file Data Recovery Fields and Data Decryption Fields used to hold FEKs encrypted by user and recovery agent public keys.

“Working with Encryption” includes how-to steps that define the effect of decisions made about changing the encryption properties of folders. The table defines what happens for each file (present, added later, or copied to the folder) for the choice “This folder only” or the option “This folder, subfolders and files.”

“Remote EFS Operations on File Shares and Web Folders” defines what happens to encrypted files and how to enable remote storage.

EFS was introduced in Windows 2000. However, there are differences when compared with Windows XP Professional EFS and Windows Server 2003 EFS, including the following:

You can authorize additional users to access encrypted files (see the section “Sharing Encrypted Files”, above). In Windows 2000, you can implement a programmatic solution for the sharing of encrypted files; however, no interface is available. Windows XP and Windows Server 2003 have this interface.

Offline files can be encrypted. See “HOW TO: Encrypt Offline Files to Secure Data in Windows XP.”

Data recovery agents are recommended but optional. XP doesn’t automatically include a default recovery agent. XP will take advantage of an existing Windows 2000 domain-level recovery agent if one is present, but the lack of a domain recovery agent wont prevent encryption of files on an XP system. A self-signed recovery agent certificate can be requested by using the cipher /R:filename command, where filename is the name that will be used to create a *.cer file to hold the certificate and a *.pfx file to hold the certificate and private key.

The Triple DES (3DES) encryption algorithm can be used to replace Data Encryption Standard X (DESX), and after XP SP1, Advanced Encryption Standard (AES) becomes the default encryption algorithm for EFS.

For Windows XP and Windows Server 2003 local accounts, a password reset disk can be used to safely reset a user’s password. (Domain passwords cannot be reset using the disk.) If an administrator uses the “reset password” option from the user’s account in the Computer Management console users container, EFS files won’t be accessible. If users change the password back to the previous password, they can regain access to encrypted files. To create a password reset disk and for instructions about how to use a password reset disk, see product documentation and/or the article “HOW TO: Create and Use a Password Reset Disk for a Computer That Is Not a Domain Member in Windows XP” (305478).

Encrypted files can be stored in Web folders. The Windows XP Professional Resource Kit section “Remote EFS Operations in a Web Folder Environment” explains how.

Windows Server 2003 incorporates the changes introduced in Windows XP Professional and adds the following:

A default domain Public Key recovery policy is created, and a recovery agent certificate is issued to the Administrator account.

Certificate Services include the ability for customization of certificate templates and key archival. With appropriate configuration, archival of user EFS keys can be instituted and recovery of EFS-encrypted files can be accomplished by recovering the user’s encryption keys instead of decrypting via a file recovery agent. A walk-through providing a step-by-step configuration of Certificate Services for key archival is available in “Certificate Services Example Implementation: Key Archival and Recovery.”

Windows Server 2003 enables users to back up their EFS key(s) directly from the command line and from the details property page by clicking a “Backup Keys” button.

Unauthorized persons may attempt to obtain the information encrypted by EFS. Sensitive data may also be inadvertently exposed. Two possible causes of data loss or exposure are misuse (improper use of EFS) or abuse (attacks mounted against EFS-encrypted files or systems where EFS-encrypted files exist).

Inadvertent Problems Due to Misuse

Several issues can cause problems when using EFS. First, when improperly used, sensitive files may be inadvertently exposed. In many cases this is due to improper or weak security policies and a failure to understand EFS. The problem is made all the worse because users think their data is secure and thus may not follow usual precautionary methods. This can occur in several scenarios:

If, for example, users copy encrypted files to FAT volumes, the files will be decrypted and thus no longer protected. Because the user has the right to decrypt files that they encrypted, the file is decrypted and stored in plaintext on the FAT volume. Windows 2000 gives no warning when this happens, but Windows XP and Windows Server 2003 do provide a warning.

If users provide others with their passwords, these people can log on using these credentials and decrypt the user’s encrypted files. (Once a user has successfully logged on, they can decrypt any files the user account has the right to decrypt.)

If the recovery agent’s private key isn’t archived and removed from the recovery agent profile, any user who knows the recovery agent credentials can log on and transparently decrypt any encrypted files.

By far, the most frequent problem with EFS occurs when EFS encryption keys and/or recovery keys aren’t archived. If keys aren’t backed up, they cannot be replaced when lost. If keys cannot be used or replaced, data can be lost. If Windows is reinstalled (perhaps as the result of a disk crash) the keys are destroyed. If a user’s profile is damaged, then keys are destroyed. In these, or in any other cases in which keys are damaged or lost and backup keys are unavailable, then encrypted files cannot be decrypted. The encryption keys are bound to the user account, and a new iteration of the operating system means new user accounts. A new user profile means new user keys. If keys are archived, or exported, they can be imported to a new account. If a revocation agent for the files exists, then that account can be used to recover the files. However, in many cases in which keys are destroyed, both user and revocation keys are absent and there is no backup, resulting in lost data.

Additionally, many other smaller things may render encrypted files unusable or expose some sensitive data, such as the following:

Finally, keeping data secure takes more than simply encrypting files. A systems-wide approach to security is necessary. You can find several articles that address best practices for systems security on the TechNet Best Practices page at http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx. The articles include

Attacks and Countermeasures: Additional Protection Mechanisms for Encrypted Files

Any user of encrypted files should recognize potential weaknesses and avenues of attack. Just as its not enough to lock the front door of a house without considering back doors and windows as avenues for a burglar, encrypting files alone isn’t enough to ensure confidentiality.

Use defense in depth and use file permissions. The use of EFS doesn’t obviate the need to use file permissions to limit access to files. File permissions should be used in addition to EFS. If users have obtained encryption keys, they can import them to their account and decrypt files. However, if the user accounts are denied access to the file, the users will be foiled in their attempts to gain this sensitive information.

Use file permissions to deny delete. Encrypted files can be deleted. If attackers cannot decrypt the file, they may choose to simply delete it. While they don’t have the sensitive information, you don’t have your file.

Protect user credentials. If an attacker can discover the identity and password of a user who can decrypt a file, the attacker can log on as that user and view the files. Protecting these credentials is paramount. A strong password policy, user training on devising strong passwords, and best practices on protecting these credentials will assist in preventing this type of attack. An excellent best practices approach to password policy can be found in the Windows Server 2003 product documentation. If account passwords are compromised, anyone can log on using the user ID and password. Once user have successfully logged on, they can decrypt any files the user account has the right to decrypt. The best defense is a strong password policy, user education, and the use of sound security practices.

Protect recovery agent credentials. Similarly, if an attacker can log on as a recovery agent, and the recovery agent private key hasn’t been removed, the attacker can read the files. Best practices dictate the removal of the recovery agent keys, the restriction of this account’s usage to recovery work only, and the careful protection of credentials, among other recovery policies. The sections about recovery and best practices detail these steps.

Seek out and manage areas where plaintext copies of the encrypted files or parts of the encrypted files may exist. If attackers have possession of, or access to, the computer on which encrypted files reside, they may be able to recover sensitive data from these areas, including the following:

Data shreds (remanence) that exist after encrypting a previously unencrypted file (see the “Special Operations” section of this paper for information about using cipher.exe to remove them)

The paging file (see “Increasing Security for Open Encrypted Files,” an article in the Windows XP Professional Resource Kit, for instructions and additional information about how to clear the paging file on shutdown)

Hibernation files (see “Increasing Security for Open Encrypted Files” at http://technet.microsoft.com/library/bb457116.aspx)

Temporary files (to determine where applications store temporary files and encrypt these folders as well to resolve this issue

Printer spool files (see the “Special Operations” section)

Provide additional protection by using the System Key. Using Syskey provides additional protection for password values and values protected in the Local Security Authority (LSA) Secrets (such as the master key used to protect user’s cryptographic keys). Read the article “Using the System Key” in the Windows 2000 Resource Kit’s Encrypting File System chapter. A discussion of the use of Syskey, and possible attacks against a Syskey-protected Windows 2000 computer and countermeasures, can be found in the article “Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System.”

If your policy is to require that data is stored on file servers, not on desktop systems, you will need to choose a strategy for doing so. Two possibilities existeither storage in normal shared folders on file servers or the use of web folders. Both methods require configuration, and you should understand their benefits and risks.

If encrypted files are going to be stored on a remote server, the server must be configured to do so, and an alternative method, such as IP Security (IPSec) or Secure Sockets Layer (SSL), should be used to protect the files during transport. Instructions for configuring the server are discussed in “Recovery of Encrypted Files on a Server” (283223) and “HOW TO: Encrypt Files and Folders on a Remote Windows 2000 Server” (320044). However, the latter doesn’t mention a critical step, which is that the remote server must be trusted for delegation in Active Directory. Quite a number of articles can be found, in fact, that leave out this step. If the server isn’t trusted for delegation in Active Directory, and a user attempts to save the file to the remote server, an “Access Denied” error message will be the result.

If you need to store encrypted files on a remote server in plaintext (local copies are kept encrypted), you can. The server must, however, be configured to make this happen. You should also realize that once the server is so configured, no encrypted files can be stored on it. See the article “HOW TO: Prevent Files from Being Encrypted When Copied to a Server” (302093).

You can store encrypted files in Web folders when using Windows XP or Windows Server 2003. The Windows XP Professional Resource Kit section “Remote EFS Operations in a Web Folder Environment” explains how.

If your Web applications need to require authentication to access EFS files stored in a Web folder, the code for using a Web folder to store EFS files and require authentication to access them is detailed in “HOW TO: Use Encrypting File System (EFS) with Internet Information Services” (243756).

Once you know the facts about EFS and have decided how you are going to use it, you should use these documents as a checklist to determine that you have designed the best solution.

By default, EFS certificates are self-signed; that is, they don’t need to obtain certificates from a CA. When a user first encrypts a file, EFS looks for the existence of an EFS certificate. If one isn’t found, it looks for the existence of a Microsoft Enterprise CA in the domain. If a CA is found, a certificate is requested from the CA; if it isn’t, a self-signed certificate is created and used. However, more granular control of EFS, including EFS certificates and EFS recovery, can be established if a CA is present. You can use Windows 2000 or Windows Server 2003 Certificate Services. The following articles explain how.

Troubleshooting EFS is easier if you understand how EFS works. There are also well known causes for many of the common problems that arise. Here are a few common problems and their solutions:

You changed your user ID and password and can no longer decrypt your files. There are two possible approaches to this problem, depending on what you did. First, if the user account was simply renamed and the password reset, the problem may be that you’re using XP and this response is expected. When an administrator resets an XP user’s account password, the account’s association with the EFS certificate and keys is removed. Changing the password to the previous password can reestablish your ability to decrypt your files. For more information, see “User Cannot Gain Access to EFS Encrypted Files After Password Change or When Using a Roaming Profile” (331333), which explains how XP Professional encrypted files cannot be decrypted, even by the original account, if an administrator has changed the password. Second, if you truly have a completely different account (your account was damaged or accidentally deleted), then you must either import your keys (if you’ve exported them) or ask an administrator to use recovery agent keys (if implemented) to recover the files. Restoring keys is detailed in “HOW TO: Restore an Encrypting File System Private Key for Encrypted Data Recovery in Windows 2000” (242296). How to use a recovery agent to recover files is covered in “Five-Minute Security AdvisorRecovering Encrypted Data Using EFS.”

Read this article:
The Encrypting File System – technet.microsoft.com

Read More..

Yale Professors Race Google and IBM to the First Quantum …

Quantum computing systems are difficult to understand because they do not behave like the everyday world we live in. But this counterintuitive behavior is what allows them to perform calculations at rate that would not be possible on a typical computer.

Todays computers store information as bits, with each transistor holding either a 1 or a 0. But thanks to something called the superposition principle behavior exhibited by subatomic particles like electrons and photons, the fundamental particles of light a quantum bit, or qubit, can store a 1 and a 0 at the same time. This means two qubits can hold four values at once. As you expand the number of qubits, the machine becomes exponentially more powerful.

Todd Holmdahl, who oversees the quantum project at Microsoft, said he envisioned a quantum computer as something that could instantly find its way through a maze. A typical computer will try one path and get blocked and then try another and another and another, he said. A quantum computer can try all paths at the same time.

The trouble is that storing information in a quantum system for more than a short amount of time is very difficult, and this short coherence time leads to errors in calculations. But over the past two decades, Mr. Schoelkopf and other physicists have worked to solve this problem using what are called superconducting circuits. They have built qubits from materials that exhibit quantum properties when cooled to extremely low temperatures.

With this technique, they have shown that, every three years or so, they can improve coherence times by a factor of 10. This is known as Schoelkopfs Law, a playful ode to Moores Law, the rule that says the number of transistors on computer chips will double every two years.

Schoelkopfs Law started as a joke, but now we use it in many of our research papers, said Isaac Chuang, a professor at the Massachusetts Institute of Technology. No one expected this would be possible, but the improvement has been exponential.

These superconducting circuits have become the primary area of quantum computing research across the industry. One of Mr. Schoelkopfs former students now leads the quantum computing program at IBM. The founder of Rigetti Computing studied with Michel Devoret, one of the other Yale professors behind Quantum Circuits.

In recent months, after grabbing a team of top researchers from the University of California, Santa Barbara, Google indicated it is on the verge of using this method to build a machine that can achieve quantum supremacy when a quantum machine performs a task that would be impossible on your laptop or any other machine that obeys the laws of classical physics.

There are other areas of research that show promise. Microsoft, for example, is betting on particles known as anyons. But superconducting circuits appear likely to be the first systems that will bear real fruit.

The belief is that quantum machines will eventually analyze the interactions between physical molecules with a precision that is not possible today, something that could radically accelerate the development of new medications. Google and others also believe that these systems can significantly accelerate machine learning, the field of teaching computers to learn tasks on their own by analyzing data or experiments with certain behavior.

A quantum computer could also be able to break the encryption algorithms that guard the worlds most sensitive corporate and government data. With so much at stake, it is no surprise that so many companies are betting on this technology, including start-ups like Quantum Circuits.

The deck is stacked against the smaller players, because the big-name companies have so much more money to throw at the problem. But start-ups have their own advantages, even in such a complex and expensive area of research.

Small teams of exceptional people can do exceptional things, said Bill Coughran, who helped oversee the creation of Googles vast internet infrastructure and is now investing in Mr. Schoelkopfs company as a partner at Sequoia. I have yet to see large teams inside big companies doing anything tremendously innovative.

Though Quantum Circuits is using the same quantum method as its bigger competitors, Mr. Schoelkopf argued that his company has an edge because it is tackling the problem differently. Rather than building one large quantum machine, it is constructing a series of tiny machines that can be networked together. He said this will make it easier to correct errors in quantum calculations one of the main difficulties in building one of these complex machines.

But each of the big companies insist that they hold an advantage and each is loudly trumpeting its progress, even if a working machine is still years away.

Mr. Coughran said that he and Sequoia envision Quantum Circuits evolving into a company that can deliver quantum computing to any business or researcher that needs it. Another investor, Canaans Brendan Dickinson, said that if a company like this develops a viable quantum machine, it will become a prime acquisition target.

The promise of a large quantum computer is incredibly powerful, Mr. Dickinson said. It will solve problems we cant even imagine right now.

An earlier version of this article misstated the surname of one of the investors in Quantum Circuits. As correctly noted elsewhere in the article, he is Brendan Dickinson, not Dickson.

View post:
Yale Professors Race Google and IBM to the First Quantum …

Read More..

IBM’s processor pushes quantum computing … – engadget.com

Quantum computers work much differently than regular supercomputers, taking advantage of weird quantum physics principals like “superposition.” In theory, they can run specific programs, like encryption-cracking algorithms, many, many times faster than regular computers.

The 50 qubit system (shown below) is a significant leap toward practical quantum computers. “We are really proud of this, it’s a big frickin’ deal,” IBM AI and quantum computer director Dario Gil told MIT Technology Review. Other players in quantum computing including Google, Intel and Rigetti.

IBM’s 50 qubit computer is just a prototype, but it will soon have a working 20 qubit computer that users can try online by the end of 2017, with improvements planned throughout 2018. The company has already made lower-powered machines available for cloud use, and used a 7 qubit model to simulate a molecule, for example. IBM says around 60,000 users have run 1.7 million experiments, resulting in 35 research papers.

Quantum computers haven’t been able to run programs that a regular computer can’t, so the massive speed breakthrough many have hoped for has yet to arrive. Still, Google researchers said last month that a 50 qubit computer they’re working on could surpass current supercomputers, achieving an (excellently-named) milestone called Quantum Supremacy. The technology is tricky, though, so there’s good reason not to get too excited. But, there’s also a good chance that quantum computers will finally break that barrier sometime in the next year or two.

Go here to read the rest:
IBM’s processor pushes quantum computing … – engadget.com

Read More..

DOJ: Strong encryption that we dont have access to is …

Enlarge / US Deputy Attorney General Rod Rosenstein delivers remarks at the 65th Annual Attorney General’s Awards Ceremony at the Daughters of the American Revolution Constitution Hall October 25, 2017 in Washington, DC.

Just two days after the FBI said it could not get into the Sutherland Springs shooter’s seized iPhone, Politico Pro published a lengthy interview with a top Department of Justice official who has become the “governments unexpected encryption warrior.”

According to the interview, which was summarized and published in transcript form on Thursday for subscribers of the website, Deputy Attorney General Rod Rosenstein indicated that the showdown between the DOJ and Silicon Valley is quietly intensifying.

“We have an ongoing dialogue with a lot of tech companies in a variety of different areas,” he told Politico Pro. “There’s some areas where they are cooperative with us. But on this particular issue of encryption, the tech companies are moving in the opposite direction. They’re moving in favor of more and more warrant-proof encryption.”

While the battle against encryption has been going on within federal law enforcement circles since at least the early 1990s, Rosenstein has been the most outspoken DOJ official on this issue in recent months.

The DOJ’s number two has given multiple public speeches in which he has called for “responsible encryption.” The interview with Politico Pro represents the clearest articulation of the DOJs position on this issue, and it suggests that a redux of the 2016 FBI v. Apple showdown is inevitable in the near future.

“I want our prosecutors to know that, if there’s a case where they believe they have an appropriate need for information and there is a legal avenue to get it, they should not be reluctant to pursue it,” Rosenstein said. “I wouldn’t say we’re searching for a case. I’d say were receptive, if a case arises, that we would litigate.”

What Rosenstein didn’t note, however, is that the DOJ and its related agencies, including the FBI, are not taking encryption lying down.

The FBI maintains an office, known as the National Domestic Communications Assistance Center(NDCAC), which actively provides technical assistance to local law enforcement in high profile cases.

In its most recently published minutes from May 2017, the NDCAC said that one of its goals is to make such commercial tools, like Cellebrite’s services, “more widely available” to state and local law enforcement. Earlier this year, the NDCAC provided money to Miami authorities to pay Cellebrite to successfully get into a seized iPhone in a local sextortion case.

In the interview, Rosenstein also said he “favors strong encryption.”

“I favor strong encryption, because the stronger the encryption, the more secure data is against criminals who are trying to commit fraud,” he explained. “And I’m in favor of that, because that means less business for us prosecuting cases of people who have stolen data and hacked into computer networks and done all sorts of damage. So I’m in favor of strong encryption.”

“This is, obviously, a related issue, but it’s distinct, which is, what about cases where people are using electronic media to commit crimes? Having access to those devices is going to be critical to have evidence that we can present in court to prove the crime. I understand why some people merge the issues. I understand that they’re related. But I think logically, we have to look at these differently. People want to secure their houses, but they still need to get in and out. Same issue here.”

He later added that the claim that the “absolutist position” that strong encryption should be by definition, unbreakable, is “unreasonable.”

“And I think it’s necessary to weigh law enforcement equities in appropriate cases against the interest in security,” he said.

The DOJ’s position runs counter to the consensus of information security experts, who say that it is impossible to build the strongest encryption system possible that would also allow the government access under certain conditions.

“Of course, criminals and terrorists have used, are using, and will use encryption to hide their planning from the authorities, just as they will use many aspects of society’s capabilities and infrastructure: cars, restaurants, telecommunications,” Bruce Schneier, a well-known cryptographer, wrote last year.

“In general, we recognize that such things can be used by both honest and dishonest people. Society thrives nonetheless because the honest so outnumber the dishonest. Compare this with the tactic of secretly poisoning all the food at a restaurant. Yes, we might get lucky and poison a terrorist before he strikes, but we’ll harm all the innocent customers in the process. Weakening encryption for everyone is harmful in exactly the same way.”

Rosenstein closed his interview by noting that he understands re-engineering encryption to accommodate government may make it weaker.

“And I think that’s a legitimate issue that we can debatehow much risk are we willing to take in return for the reward?” he said.

“My point is simply that I think somebody needs to consider what’s on the other side of the balance. There is a cost to having impregnable security, and we’ve talked about some of the aspects of that. The cost is that criminals are going to be able to get away with stuff, and that’s going to prevent us in law enforcement from holding them accountable.”

Excerpt from:
DOJ: Strong encryption that we dont have access to is …

Read More..

FBI cant break the encryption on Texas shooters smartphone

Getty Images | Peter Dazeley

The Federal Bureau of Investigation has not been able to break the encryption on the phone owned by a gunman who killed 26 people in a Texas church on Sunday.

“We are unable to get into that phone,” FBI Special Agent Christopher Combs said in a press conference yesterday (see video).

Combs declined to say what kind of phone was used by gunman Devin Kelley, who killed himself after the mass shooting.”I’m not going to describe what phone it is because I don’t want to tell every bad guy out there what phone to buy, to harass our efforts on trying to find justice here,” Combs said.

The phone is an iPhone,The Washington Post reported today:

After the FBI said it was dealing with a phone it couldnt open, Apple reached out to the bureau to learn if the phone was an iPhone and if the FBI was seeking assistance. Late Tuesday an FBI official responded, saying it was an iPhone but the agency was not asking anything of the company at this point. Thats because experts at the FBIs lab in Quantico, Va., are trying to determine if there are other methods to access the phones data, such as through cloud storage backups or linked laptops, these people said.

The US government has been calling on phone makers to weaken their devices’ security, but companies have refused to do so.Last year, Apple refused to help the government unlock and decrypt the San Bernardino gunman’s iPhone, but the FBI ended up paying hackers for a vulnerability that it used to access data on the device.

Deliberately weakening the security of consumer devices would help criminals target innocent people who rely on encryption to ensure their digital safety, Apple and others have said.

“With the advance of the technology in the phones and the encryptions, law enforcement, whether it’s at the state, local, or the federal level, is increasingly not able to get into these phones,” Combs said yesterday.

Combs said he has no idea how long it will take before the FBI can break the encryption.”I can assure you we are working very hard to get into the phone, and that will continue until we find an answer,” he said. The FBI is also examining “other digital media” related to the gunman, he said.

There are currently “thousands of seized devices sit[ting] in storage, impervious to search warrants,” Deputy Attorney General Rod Rosenstein said last month.

Read more:
FBI cant break the encryption on Texas shooters smartphone

Read More..

DOJ Fires Up New War With Apple Over Encryption

The DOJ and FBI have been in a bit of a cold war with Apple and the tech community ever since the controversy in 2015 over unlocking the San Bernardino shooters iPhone. This week, the war heated up again with the FBI and Apple exchanging words about encryption, and on Thursday, the Deputy Attorney General of the United States stepped into the fray.

The Federal Bureau of Investigation apparently missed a key window in which they could have sought

The FBI is currently investigating the circumstances surrounding the shooting of 26 people at a church in Sutherland Springs, Texas. The shooter, Devin Kelley, is dead, so law enforcement has had to work with what evidence hes left behind. On Tuesday, FBI special agent Christopher Combs gave a press conference in which he lamented the fact that the FBI has, so far, been unable to unlock Kelleys phone. On Wednesday, Apple let the world know that it may have been able to help, but the FBI waited more than 48 hours to inform Apple or the public that it was trying to unlock an iPhone. At a minimum, Apple said that it couldve suggested trying the Touch ID feature in that 48 hours, but its too late now.

That could have been the end of the story. Until today, neither the FBI nor Apple has seemed to want to jump back into the heated debate on encryption that occurred in 2015. People from the FBI and DOJ have continued to make comments that they need a backdoor into encryption, but without a major case like San Bernardino to win over public sentiment, they havent made a huge public deal out of it. And Apple has been happy to walk away from that incident without being forced to create future backdoors for the US government. It would appear that Apples statement on Wednesday was an effort to nip a new uproar in the bud. But on Thursday, Deputy AG Rod Rosenstein brought the subject up once again. Rosenstein (conveniently) did not mention that Apple publicly shamed the FBI for not even attempting to approach the company for help.

At a breakfast for business leaders in Maryland, Rosenstein gave a wide-ranging speech that touched on the importance of law before politics, the increasing problem of cybercrime, and once again, how much hed love to be able to get into anyones phone whenever he has an investigation. Rosenstein is clearly being either willfully ignorant or hes gassing the public when he makes statements like, nobody has a legitimate expectation of privacy in that phone, referring to the shooters phone. The suspect is deceased, and even if he were alive, it would be legal for police and prosecutors to find out what is [on] the phone, he explained.

The FBI, and other government agencies around the world, tend to make their case for a backdoor into encryption based on either the need to protect the public or some sort of fine legal argument about warrants. Rosenstein went with both. When you shoot dozens of American citizens, we want law enforcement to investigate you, he told the attendees. There are things we need to know.

As always in this argument, the issue is that no ones talking about the privacy of a dead man, or the constitutionality of a search warrant for the phone, or even anyones physical safety. Opponents of governmental backdoors are talking about the privacy and safety of everyone who uses technology and the internet. Good encryption means no one can have a backdoor. If theres a backdoor, someone will end up being able to open it. Rosenstein, in a matter of a few sentences, was able to jump from rattling off dire warnings and statistics about cybercrime to suggesting a great way to make cybercrime a lot worse.

Even when Apple said most recently that it offered assistance and said we would expedite our response to any legal process they send us, it was only referring to offering training and technical assistance. It wasnt saying that it could crack the phones encryption. Apples official position is that it builds products so that the user is the only one with the key. The fact that the FBI was able to pay some hackers $900,000 to unlock the San Bernardino shooters phone means that Apple has not done a bulletproof job at building that encryption. But still, as far as we know, the goal is realto build a phone without backdoors because thats the safest way to do it.

Rosenstein and his colleagues act as if companies like Apple are protecting criminals, and dodging legal warrants. In fact, companies like Apple are protecting Rosenstein and his colleagues, because they most certainly use technology every day. Warrants dont apply here because the tech is designed so that no one can be ordered to open it up. Before smartphones and laptops existed, FBI agents werent demanding that a neurologist autopsy a dead suspects brain to try and find some phone numbers of people they were in contact with. If there was a phone book in the suspects house, a warrant allowed them to find it. That hasnt changed today. Law enforcement needs to start thinking of a locked and encrypted phone as a dead brain. If they can hire some Frankenstein hacker to bring it back to life, fine. But otherwise, just do the police work the old-fashioned way.

If the past few days are any indication, this could turn into another prolonged war of words. Rosenstein and the FBI probably see a political opportunity with public and political sentiment turning against the tech world. Tech needs to do a lot of things better, but one of those things is making encryption more impervious to the FBI.

[The Hill, The Washington Examiner, Baltimore Sun]

The rest is here:
DOJ Fires Up New War With Apple Over Encryption

Read More..

‘$300m in cryptocurrency’ accidentally lost forever due to bug …

More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds, according to reports.

Unlike most cryptocurrency hacks, however, the money wasnt deliberately taken: it was effectively destroyed by accident. The lost money was in the form of Ether, the tradable currency that fuels the Ethereum distributed app platform, and was kept in digital multi-signature wallets built by a developer called Parity. These wallets require more than one user to enter their key before funds can be transferred.

On Tuesday Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

A cryptocurrency is a form of digital asset, created through a canny combination of encryption and peer-to-peer networking.

Bitcoin, the first and biggest cryptocurrency, is part of a decentralised payment network. If you own a bitcoin, you control a secret digital key which you can use to prove to anyone on the network that a certain amount of bitcoin is yours.

If you spend that bitcoin, you tell the entire network that you’ve transferred ownership of it, and use the same key to prove that you’re telling the truth. Over time, the history of all those transactions becomes a lasting record of who owns what: that record is called the blockchain.

After bitcoin’s creation in 2009, a number of other cryptocurrencies sought to replicate its success but taking its free, public code and tweaking it for different purposes.

Some, such as Filecoin, have a very defined goal. It aims to produce a sort of decentralised file storage system: as well as simply telling the network that you have some Filecoins, you can tell the network to store some encrypted data and pay Filecoins to whoever stores it on their computer.

Others are more nebulous. Ethereum, using the Ether token, is now the second biggest cryptocurrency after bitcoin and essentially a cryptocurrency for making cryptocurrencies. Users can write “smart contracts”, which are effectively programs that can be run on the computer of any user of the network if they’re paid enough Ether.

Of course, to many, the purpose is secondary. The only really important thing is that the value of an Ether token increased 2,500% over 2017, meaning some are hoping to jump on the bandwagon and get rich. Bubble or boom? That’s the $28bn question.

The user, devops199, triggered the flaw apparently by accident. When they realised what they had done, they attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.

This means that currently no funds can be moved out of the multi-sig wallets, Parity says in a security advisory.

Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.

We are analysing the situation and will release an update with further details shortly, Parity told users.

Some are pushing for a hard fork of Ethereum, which would undo the damage by effectively asking 51% of the currencys users to agree to pretend that it had never happened in the first place. That would require a change to the code that controls ethereum, and then that change to be adopted by the majority of the user base. The risk is that some of the community refuses to accept the change, resulting in a split into two parallel groups.

Such an act isnt unheard of: another hack, two years ago, of an Ethereum app called the DAO resulted in $150m being stolen. The hard fork was successful then, but the money stolen represented a much larger portion of the entire Ethereum market than the $300m lost to Parity.

The lost $300m follows the discovery of bug in July that led to the theft of $32m in ether from just three multisignature wallets. A marathon coding and hacking effort was required to secure another $208m against theft. Patching that bug led to the flaw in Paritys system that devops199 triggered by accident.

Parity says that it is unable to confirm the actual amount lost, but that the $300m figure is purely speculative. The company also disputes that the currency is lost, arguing that frozen is more accurate. But if it is frozen, it appears that no-one has the ability to unfreeze the funds.

The Parity vulnerability was the result of an incorrectly coded smart contract used by the Parity wallet to store tokens on the Ethereum network, said Dominic Williams, founder of blockchain firm DFINITY. The vulnerability made it possible for anyone to freeze the tokens held by that smart contract, making them immovable. At this time, the only method we are aware of to unfreeze tokens held by the vulnerable smart contract would be to create a new hard fork Ethereum client that deploys a fix. This would require every full node on the Ethereum network to upgrade by the date of the hard fork to stay in sync, including all miners, wallets, exchanges, etc.

Ethereum has rapidly become the second most important cryptocurrency, after Bitcoin, with its price increasing more than 2,500% over the past year. One token of Ether is now worth a little over $285, up from $8 in January.

See the rest here:
‘$300m in cryptocurrency’ accidentally lost forever due to bug …

Read More..

Amazon might want in on cryptocurrency – mashable.com

Image: Jakub Kaczmarczyk/Epa/REX/Shutterstock

Amazon is not-so quietly shaping the future around its ever-expanding business, so it makes sense they’d want to get in on cryptocurrency, too.

The company wants to build a fleet of package-delivering drones. They maybe want to build giant drone hives in a city near you. They’ve got grocery stores and devices you can ask to set a timer or play a song. Now, according to Whois data, an Amazon subsidiary registered amazoncryptocurrencies.com, amazoncryptocurrency.com, and amazonethereum.com on Oct. 31.

The news was first reported by DomainNameWire, and, as they wrote, Amazon might just be buying up the names so nobody else can profit off a feigned association with their brand. Coindesk pointed out that Amazon registered amazonbitcoin.com four years ago, and that just redirects to the company’s regular homepage.

Or maybe Jeff Bezos recently spent some time reading about how Bitcoin is doing better than ever, and decided to jump into the cryptocurrency pool.

We reached out to Amazon for more information, but didn’t immediately hear back.

Originally posted here:
Amazon might want in on cryptocurrency – mashable.com

Read More..