Toshiba Developing New Encryption?

Encryption is an essential and fundamental way to keep people safe online, Hear that world governments! ESSENTIAL! From keeping information away from hackers in the banking sector to assisting journalists in their exceptional work exposing corruption within various forms, encryption is imperative.

But it does have its weaknesses which have been highlighted by many cases involving individuals who would rather all information be freely available within many communications outlets. Encryption is in need of a revamp which might be a reality thanks to tech company Toshiba who will be undertaking verification testing on a new form of encryption technique which the Tokyo based firm says is “unbreakable”

Toshiba are naming this project a testing of Quantum Cryptographic Communication System. So what is a Quantum Cryptographic system? Well according to Toshiba’s website this technique uses quantum physics to ensure that genomic data encrypted with digital keys remains secret. This differs from standard communications which are being intercepted by measuring a part of the optical signal, Toshiba aims to bring this project to market within five years of full development.

Sounds promising, but Toshiba also states that potential users will be public agencies and also medical institutions, as yet it’s unclear if Mr Average Jo will benefit from this potential innovation. It also remains to be seen if this technique is “unbreakable” as this definition is open to interpretation.

Thank You Toshiba for providing us with this information

Image Courtesy of Bloomberg Business

WhatsApp Messages Led to Belgian Terror Arrests

The FBI have been trying hard to get unlimited access messages passed by encrypted messaging services. However, it apparently didn’t need that level of access to WhatsApp messages sent between members of an alleged Chechen jihadist group operating in Belgium. According to reports released. A pair of men were arrested and warrants were issued for three others for allegedly preparing for a terrorist attack in Belgium.

Ars Technica posted:

“The arrests followed raids in which 16 people were detained, which Belgian law enforcement officials said was the result of “working with U.S. authorities to monitor suspects’ communications on WhatsApp Inc.’s messaging service,” Bloomberg’s Gaspard Sebag reported. The police investigation began after they obtained information about a man who had returned to Belgium after fighting as a jihadi in Syria.

Ars reached out to WhatsApp and to Facebook, which completed its acquisition of WhatsApp in October. A spokesperson from Facebook declined to comment on the matter.”

WhatsApp began encrypting their messages last November. In theory, if the encryption service was in use by the alleged terrorists, the content of their messages would have been very difficult to read; the protocol continuously changes pairs of encryption keys with each new message. But it’s uncertain that the messages were encrypted—particularly since the version of encryption is not supported by the Apple iOS version of WhatsApp, and group messages and images aren’t supported by WhatsApp for Andriod yet.

“Even if some of the messages remained protected by encryption, it’s possible that the FBI or NSA gathered metadata at the server for the messages. That metadata could have been used to establish the connections between the suspects and the wounded jihadi, which would have allowed the US agencies or Belgian law enforcement to do more targeted surveillance.”

Thank you to ArsTechnica for providing us with this information

Image courtesy of  RedmondPie

Synology NAS OS Vulnerable to CryptoLocker [updated]

The operating system run on Synology’s NAS devices, called DiskStation Manager (DSM), is reportedly vulnerable to a CryptoLocker hack. This particular version has been dubbed SynoLocker and is holding the infected NAS devices for ransom.

The nature of how the systems get infected is still unclear, but when infected, the malware encrypts parts of the data until you pay 0.6 Bitcoins (about £208 at current rate). Decryption is promised upon payment, but there is no guarantee it will happen and that you won’t be infected again.

The company believes it to be limited to devices still running non-updated versions of DSM 4.3, they are however still investigating if the vulnerability also could infect the newer version 5.0, just in case.

While a press release is being prepared, Synology gave this emergency statement:

You may have heard by now that DSM is undergoing a CryptoLocker hack called SynoLocker – as of yesterday (08/03/14). It’s a BitCoin Mining hack that encrypts portions of data, and ransoms the decryption key for .6 BitCoin ($350). So far, it looks like the matter is localized to non-updated versions of DSM 4.3, but we are actively working on, and researching the issue to see if it also effects DSM 5.0 as well.

In the interim, we are asking people to take the following precautions:
A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
B. Update DSM to the latest version
C. Backup your data as soon as possible
D. Synology will provide further information as soon as it is available.

If your NAS has been infected:
A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
C. Contact Synology Support as soon as possible at, http://www.synology.com/en-global/support/knowledge_base

[UPDATE 16:50 GMT]

Since we originally posted this, we’ve recieved an official statement from Synology via email. The problem is more limited then first thought and only affects a few software version. As also initial suggested, those with up-to-date system can feel safe from this threat.

Synology are fully dedicated to investigating this issue and possible solutions. Based on their current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0.

For NAS servers running DSM 4.3-3810 or earlier, and if users encounter any of the below symptoms, synology recommends they shut down their system and contact the technical support team.

  • When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
  • A process called “synosync” is running in Resource Monitor.
  • DSM 4.3-3810 or earlier is installed, but the system says the latest version is installed at Control Panel > DSM Update.

For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below:

  • For DSM 4.3, please install DSM 4.3-3827 or later
  • For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
  • For DSM 4.0, please install DSM 4.0-2259 or later

It is easy to update the Disk Station Manager OS by going to Control Panel and then navigating to the DSM Update. Users can also manually download and install the latest version from Synology’s Download Center. If you notice any strange behaviour or suspect your Synology NAS has been affected by the above issue, you’re also encouraged to contact Synology at security@synology.com where a dedicated team will look into each case.

Thank you TechPowerUp for providing us with this information

Image courtesy of Synology

77% Of Lawyers Can’t Be Trusted With Protecting Your Confidential Data…Surprising?

Whoever said you can’t trust a lawyer? Well whoever it was probably had a point. Recent survey data suggests that most lawyers take virtually no action to encrypt and protect online communications with clients other than including a confidentiality statement somewhere in the message body, which in effect does nothing to protect the data. A measly 22% used a form of encryption for sending emails to clients and email encryption is something you’d think would be the bare minimum for security when sending legally sensitive documents over the internet.

Attorney Robert Ambrogi has written extensively about such issues stating that:

“If I were to leave a document on a table entitled, “My Deepest, Darkest Secrets,” under which I wrote, “Please do not read this unless you are someone I intended to read this,” how securely would you think I’d protected myself?

That, effectively, is all the majority of lawyers do to protect confidential documents they share with clients and colleagues”

Apparently the lack of security in the legal profession is fairly unnoticed because legal firms are reluctant to report such data breaches.  At the bare minimum Robert Ambrogi says legal firms should start by encrypting emails, using secure file sharing services and examining cloud sharing services more closely before using them.

Source: LawSitesBlog, Via: Network World

Image #1 courtesy of security faqs