Secure HTTP access to Google's free Gmail service is now active by default, the company announced earlier this week, making Gmail messages less susceptible to unauthorized access.
Google says that the new functionality will help protect users who have not already switched to HTTPS. The company wrote on the official Gmail blog that they had carefully weighed the tradeoffs between security and speed, since HTTPS data transfers tend to move slightly slower than those sent without encryption.
The option to use HTTPS for Gmail connections has been present since 2008, but it was turned off by default. Users will still be able to use Gmail over standard HTTP, but Google says that only those users confident in their network security settings should disable HTTPS.
PC World speculates that the move may have been prompted by the recent hacking attempts by Chinese cyber criminals to gain access to the email accounts of human rights campaigners. The attack has also provoked a decision by Google to stop filtering search results for its Google.cn portal, which is likely a signal of the end of the company's presence in China.
Tag Archives: encryption
Coding experts crack 768-bit RSA encryption
Researchers have factored and broken the public key encryption used by 768-bit RSA ciphers, according to an announcement from the research team released last Thursday.
Ars Technica reports that RSA encryption is based on very large numbers which are the product of two prime numbers. This means that, while the public key is available to anyone, breaking it into useful pieces is a formidable challenge to commercially-available computers. The Register says that the task took "about two-and-a-half years and hundreds of general-purpose computers" The team estimated that the decryption would have taken roughly 1,500 years to perform on a single computer with a 2.2 GHz CPU and 2 GB of RAM.
The discovery means that sufficiently sophisticated spyware could be made able to read information encrypted with 768-bit RSA. 1024-bit encryption is next, and the Register reports that it will require roughly 1,000 times as much computing effort to crack.
However, Ars Technica reports that the pace of improvement in computer processor speed could put 1024-bit RSA encryption in the sights of code experts sooner than many would have guessed.
Ars Technica reports that RSA encryption is based on very large numbers which are the product of two prime numbers. This means that, while the public key is available to anyone, breaking it into useful pieces is a formidable challenge to commercially-available computers. The Register says that the task took "about two-and-a-half years and hundreds of general-purpose computers" The team estimated that the decryption would have taken roughly 1,500 years to perform on a single computer with a 2.2 GHz CPU and 2 GB of RAM.
The discovery means that sufficiently sophisticated spyware could be made able to read information encrypted with 768-bit RSA. 1024-bit encryption is next, and the Register reports that it will require roughly 1,000 times as much computing effort to crack.
However, Ars Technica reports that the pace of improvement in computer processor speed could put 1024-bit RSA encryption in the sights of code experts sooner than many would have guessed.
German hacker says he has broken GSM encryption
Filed under Security News
Tagged as Claire Cranton, cracked, encryption, german, GSM, hacked, Karsten Nohl, ZDNet
Tagged as Claire Cranton, cracked, encryption, german, GSM, hacked, Karsten Nohl, ZDNet
The code that protects most of the mobile phone calls made around the world has reportedly been cracked by a German computer engineer. Karsten Nohl revealed the secret of GSM encryption at the second day of the Chaos Communication Congress, a hacker convention currently being held in Berlin.
The GSM cipher has been in use since 1988, and currently protects roughly four out of five cell phone calls made worldwide. ZDNet says that the 64-bit binary code is antiquated compared to more modern encryption technology. Nohl says that his aim was to demonstrate the weakness of current encryption and push for updated security measures.
Industry groups, however, were not happy with Nohl's breakthrough. GSM spokeswoman Claire Cranton told the New York Times that Nohl's activities were "illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me." ZDNet says that the GSM association has publicly expressed doubts over the veracity of Nohl's claims.
Nohl's codebook is not presently available via the web, but copies are circulating through BitTorrent.
The GSM cipher has been in use since 1988, and currently protects roughly four out of five cell phone calls made worldwide. ZDNet says that the 64-bit binary code is antiquated compared to more modern encryption technology. Nohl says that his aim was to demonstrate the weakness of current encryption and push for updated security measures.
Industry groups, however, were not happy with Nohl's breakthrough. GSM spokeswoman Claire Cranton told the New York Times that Nohl's activities were "illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me." ZDNet says that the GSM association has publicly expressed doubts over the veracity of Nohl's claims.
Nohl's codebook is not presently available via the web, but copies are circulating through BitTorrent.
Government watchdog warns of possible IT leaks at Los Alamos
Filed under Security News
Tagged as access, breach, encryption, GAO, Los Alamos, network, risk assessment, risks, security
Tagged as access, breach, encryption, GAO, Los Alamos, network, risk assessment, risks, security
The Government Accountability Office has issued a report on data security at the Los Alamos National Laboratory which says that sensitive and highly classified information is vulnerable to outside access.
The GAO report asserts that the lab has not fully implemented the security protocols and user access control recommended by experts. The report found fault with numerous aspects of the LANL's data security, including network security, encryption of classified data, compliance monitoring, and software configuration.
One reason that LANL remains insecure even after highly publicized security breaches within the past several years is that the facility lacks a comprehensive program for risk assessment, which would help focus security resources where they might do the most good. The GAO report also referred to "organizational culture issues" which militated against effective protection of classified data.
The importance of securing LANL's classified network cannot be overemphasized. Some of the country's most important secrets - including the design of nuclear weapons - reside within its 3,900 servers. The first atomic bomb was designed at the facility, under the direction of J. Robert Oppenheimer.
The GAO report asserts that the lab has not fully implemented the security protocols and user access control recommended by experts. The report found fault with numerous aspects of the LANL's data security, including network security, encryption of classified data, compliance monitoring, and software configuration.
One reason that LANL remains insecure even after highly publicized security breaches within the past several years is that the facility lacks a comprehensive program for risk assessment, which would help focus security resources where they might do the most good. The GAO report also referred to "organizational culture issues" which militated against effective protection of classified data.
The importance of securing LANL's classified network cannot be overemphasized. Some of the country's most important secrets - including the design of nuclear weapons - reside within its 3,900 servers. The first atomic bomb was designed at the facility, under the direction of J. Robert Oppenheimer.
Researchers crack WPA Wi-Fi encryption in 60 seconds
Two Japanese researchers have found a way to break the encryption of data sent over Wi-Fi Protected Access (WPA), a security protocol for transmitting information via 802.11 wireless LAN, in about 60 seconds.
The hack builds on an attack devised in 2008 by two researchers (Beck and Tews) who managed to crack WPA encryption of short packets of data in 12 to 15 minutes.
In their paper, Toshihiro Ohigashi and Masakatu Morii describe a practical message falsification attack on any WPA implementation that uses the Beck and Tews method in a man-in-the-middle attack (MITM).
In the MITM attack, the user's communication is intercepted by an attacker until the attack ends. Since the victims of the attack might detect it if the attack window is large, the researchers used methods for reducing the execution time of the attack to about one minute.
This attack only works on WPA encryption and cannot recover the WPA encryption key.
WPA2 with AES encryption is now standard on most Wi-Fi products. Hackers have not been able to break the encryption of these formats.
The hack builds on an attack devised in 2008 by two researchers (Beck and Tews) who managed to crack WPA encryption of short packets of data in 12 to 15 minutes.
In their paper, Toshihiro Ohigashi and Masakatu Morii describe a practical message falsification attack on any WPA implementation that uses the Beck and Tews method in a man-in-the-middle attack (MITM).
In the MITM attack, the user's communication is intercepted by an attacker until the attack ends. Since the victims of the attack might detect it if the attack window is large, the researchers used methods for reducing the execution time of the attack to about one minute.
This attack only works on WPA encryption and cannot recover the WPA encryption key.
WPA2 with AES encryption is now standard on most Wi-Fi products. Hackers have not been able to break the encryption of these formats.
Google urged to adopt default data encryption for Gmail
A letter to Google CEO Eric Schmidt last week signed by 37 web security experts urged the company to enable encryption by default for the users of Gmail, Google Docs and Google Calendar.
Google already uses Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information, which is available as an option for users of Google's webmail and other cloud-based services.
However, encryption is not enabled by default to protect data sent by users of Google Mail, Docs or Calendar. As a result, the security experts said, Google customers who use a public connection such as open wireless networks "face a very real risk of data theft and snooping."
Alma Whitten, from Google's security and privacy teams, responded on the Google public policy blog that the company is planning a trial in which it will move small samples of different types of Gmail users to HTTPS "to see what their experience is and whether it affects the performance of their email."
The group Consumer Watchdog said Google should be praised for agreeing to offer improved security but asked why the company waited so long to act.
The group is calling on other online companies like Yahoo, Microsoft, Facebook and MySpace to offer the same protection.
Google already uses Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information, which is available as an option for users of Google's webmail and other cloud-based services.
However, encryption is not enabled by default to protect data sent by users of Google Mail, Docs or Calendar. As a result, the security experts said, Google customers who use a public connection such as open wireless networks "face a very real risk of data theft and snooping."
Alma Whitten, from Google's security and privacy teams, responded on the Google public policy blog that the company is planning a trial in which it will move small samples of different types of Gmail users to HTTPS "to see what their experience is and whether it affects the performance of their email."
The group Consumer Watchdog said Google should be praised for agreeing to offer improved security but asked why the company waited so long to act.
The group is calling on other online companies like Yahoo, Microsoft, Facebook and MySpace to offer the same protection.