Google-released Chrome extension allows easy in-browser Webmail encryption

Developers at Google have released an experimental tool—for Gmail and other Web-based services—that's designed to streamline the highly cumbersome task of sending and receiving strongly encrypted e-mail.

On Tuesday, the company unveiled highly unstable "alpha" code that in theory allows people to use the Google Chrome browser to generate encryption keys, encrypt e-mails sent to others, and decrypt received e-mails. Dubbed End-to-End, the Chrome extension also allows Chrome users to digitally sign and verify digital signatures of e-mails sent through Gmail and other services. The code implements a fully compliant version of the OpenPGP standard, which is widely regarded as providing virtually uncrackable encryption when carried out correctly.

As Ars documented last year, the problem with just about every e-mail encryption software available today is they require much more time and effort than sending plain-text mail. Microsoft's Outlook application, for instance, frequently crashes when working with the open-source GnuPG encryption suite. Some Outlook users, including this reporter, also experience problems when receiving encrypted e-mail from Mac users, since the encrypted messages are included in an attachment, rather in the body. End-to-End is intended to ease such burdens.

Read 6 remaining paragraphs | Comments

Deterrence in Cyberspace Helps Prevent Cyberwar

Deterrence is an important part of warfare, often the most effective form of defending. Therefore, in the next couple of years we expect to see states reveal some of their offensive cyber capabilities more openly than they are doing today. The goal of deterrence is to make our opponents abstain from attacking, yet if the deterrence is too strong it may lure us into lowering our own attack threshold. The complex logic of cyber deterrence deserves a closer look.

Effective deterrence convinces our opponents that it is too costly to attack us. This evaluation is based on both material facts and perceptions about our skills and motivation. We can achieve deterrence through a strong defense, a convincing ability to turn the opponent’s potential success into a Pyrrhic victory, or a vast capability for retaliation. The strength of our deterrence can be backed up by vigorous information campaigns. However, in cyberspace virtually every system is breachable, attribution is difficult if not impossible, weapons are often used only once, and verifying anyone’s capabilities is challenging. Building effective deterrence requires applied ways of thinking.

Deterrence through strong defenses

The idea behind the majority of cybersecurity solutions is to build defenses that no attacker can break through. Smart defenses do not try to protect everything but concentrate on safeguarding the most essential assets in all circumstances. The success of this endeavor is difficult to estimate because most advanced attacks can camouflage themselves. They are often found only after a long period or not at all. Nevertheless, establishing a strong defense is worthwhile because defenses known to be solid will turn some potential attackers toward easier targets. Alongside technical aspects, a strong defense includes a workforce that knows how to act in a smart way.

Unfortunately, strong defenses motivate some cyberattackers. With enough resources and time, every system is penetrable. Victory tastes the sweeter the harder it is to achieve. In addition, gaining control—whether of military communications or SCADA systems in critical infrastructure—gives the attacker a powerful edge. The ability to demonstrate a strong defense, again, increases deterrence.

Deterrence through performance and action

Traditionally, effective perceptions of our capability, which contribute to deterrence, rise from military and other verifiable actions. Parading the equipment has been a way of convincing opponents as well as our own people about military might.

In cyberspace parading the equipment is not a good idea. The effectiveness of cyber weapons is always tied to context, and showing them may reveal systemic weaknesses to opponents. Concealing our weaponry is a better choice. Even if we use cyber weapons, we can plausibly deny their existence because of the difficulty of attribution. Parading the equipment has been left to hacktivists or criminals. States have only recently begun to acknowledge their involvement in cyberattacks.

Observable capabilities to prevent and preempt attacks may constitute a part of deterrence. However, it is challenging to prove that an event was prevented—because it presupposes that something that would have happened otherwise did not take place. Both strategies require extremely good intelligence and know-how to prevent attacks. If our opponent is unknown, for example, preemption attempts can turn against us: Hitting the wrong target creates a new enemy and can escalate the conflict.

Deterrence through retaliation

If we cannot build a strong defense, many choose to build a strong capability for retaliation. Even if the opponent can get through our defenses, we will hit back—and hit hard. Creating a credible offensive capability requires a different kind of thinking and investment than building defenses; ideally they support one another. In cyberspace, retaliation is restricted by our ability to recognize the opponent and know its systems. Yet just knowing that our capability exists may deter some potential opponents. Moreover, cyberattacks may be answered by physical actions, too.

Cyberspace is omnipresent in our society. Therefore, we can build deterrence only in cooperation with all levels of society. Ideally, up-to-date technology combined with skilled people creates credible deterrence—but the capability must be demonstrated. This need increases the importance of offensive capabilities. Due to the high number of cyberattacks we face each day, it is difficult to estimate when, against whom, and for how long cyber deterrence remains effective.

The post Deterrence in Cyberspace Helps Prevent Cyberwar appeared first on McAfee.

Critical new bug in crypto library leaves Linux, apps open to drive-by attacks

A recently discovered bug in the GnuTLS cryptographic code library puts users of Linux and hundreds of other open source packages at risk of surreptitious malware attacks until they incorporate a fix developers quietly pushed out late last week.

Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday, with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library multiple operating systems dependent on the library, that may take time.

"A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake," an entry posted Monday on the Red Hat Bug Tracker explained. "A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or possibly execute arbitrary code."

Read 3 remaining paragraphs | Comments