Recent Enterprise File Sync and Sharing News

Here is a brief round-up of some recent news from the Enterprise File Synchronization and Sharing market segment.

EFSS Application Security

MobileIron published a whitepaper, titled “State of App Security”, that includes results of a survey conducted with its customers. The survey and white paper are briefly summarized in this post.
Survey respondents were asked to list the cloud applications that had been blacklisted by their IT departments. Of the top ten apps listed, five were EFSS solutions: Dropbox, Microsoft OneDrive, Google Drive, Box, and SugarSync.
It’s important to note that all of these blacklisted apps are consumer-oriented and their vendors do offer business versions that are not commonly blacklisted because they include better security features. However, the unauthorized or “shadow” use of consumer EFSS solutions within businesses continues to pose significant information security risks.

Dropbox Doubles Down on Business

Dropbox made several product and business strategy announcements at its inaugural customer event, Dropbox Open, which was held on November 4th, in San Francisco. Most were directly relevant to the company’s increasing focus on businesses, rather than consumers. They are  briefly summarized in this Dropbox post, but here’s the skinny on a few.
First, it’s clear why Dropbox is doubling down on its efforts to win over organizations. The company announced that it has signed up around 50,000 new organizations as paying Dropbox Business customers in the last year. Dropbox now claims to have 150,000 business customers; that’s organizations, not seats. The company stated that business is it’s fastest growing target market.
To underscore the point, Dropbox announced a new product, Dropbox Enterprise, which “provides the same core security features, admin capabilities, and modern collaboration tools as Dropbox Business — plus new deployment tools, advanced controls, and services and support designed specifically for large organizations.”
Dropbox also announced three new administrative features that will be included in Dropbox Business as well as in Dropbox Enterprise. The new capabilities ‒ suspended user state, sign in as user, and custom branding ‒ are available now through the company’s Early Access program, with no general release date given.
Dropbox is going down the same road that Box has already traveled. It started with a consumer grade product, added functionality to make it more attractive and useful for small and medium businesses, and now is incorporating the robust security and control features that IT departments in large enterprises demand. The big question now is can Dropbox overtake Box in the EFSS market?

Google Drive Adds New Features

Google announced three new capabilities that are intended to improve the usability of Google Drive. These new features apply to all Google Drive users, not just business employees.
It’s now possible to receive a notification from the application on your Android or iOS device when someone has shared a file or folder with you. Previously, those notifications were made via email. The new notifications are actionable; clicking the link will take you to the document or folder that has bee shared.
Google Drive users can now request and grant access to a file or folder to which a link has been sent, but the owner forgot to extend access rights. The feature is mobile friendly. Android users can request access with a single tap. File and folder owners can instantly be notified of the request and provide access from their Android or iOS device.
Finally, it’s now possible to preview files stored on Google Drive on Android devices even if you don’t have a Google account. That feature has been available in Web browsers for a while and makes sense in that context. It’s hard to imagine why an Android device owner wouldn’t have a Google account, but, apparently, its is a problem and Google chose to address it.

Syncplicity Plays Catch-Up on Mobile Security

Syncplicity announced partnerships with AirWatch and MobileIron to help customers secure files on mobile devices. It should be safe to assume that the integration with AirWatch had been ready (or nearly so) for quite a while, since both were owned by EMC until it spun off Syncplicity a couple of months ago. At any rate, these partnerships merely bring Syncplicity even with its competitors, who have had similar partnerships or their own mobile device containerization capabilities for some time now.

Box Expands Its European Presence

Box has opened two new offices in Europe in the last 3 weeks, one in Amsterdam and another in Stockholm. This continental presence is crucial to Box as it seeks to grow by expanding overseas sales efforts. However, the new offices also raise questions about how Box (and competitors) will deal with the recent nullification of the Safe Harbor agreement that had been in place between the European Union and the United States.

ownCloud Brings Control of Open Source EFSS On-Premises

ownCloud announced the newest version (8.2) of its open source EFFS offering, which moves it to a hybrid model. With ownCloud 8.2, it’s now possible for customers to deliver security and control of their files residing in the cloud through an on-premises adminstrative console.

Linoma GoDrive Customers Gain Mobile Access

In another transformation to a vendor’s existing EFSS model, Linoma Software unveiled its GoAnywhere mobile apps for its GoDrive on-premises EFSS solution. Linoma customers can now access files residing in GoDrive from iOS and Android mobile devices. While files and folder are encrypted during transit, Linoma does not secure files while they are on a mobile device. However, they do provide an administrative capability to deactivate and wipe files and folders from devices that have been lost or stolen.

Mobile normal hits the workforce

This is the first post in our sponsored series with Samsung Business. In this series, we will be looking at some of the key areas in mobile today and into the future. This includes:

  • How businesses are simultaneously adopting mobile technology and adapting to a mobile-normal world.
  • How the internet of things is poised (perhaps) to disrupt everything, and certainly to disrupt some important industries.
  • Some of the key enabling capabilities behind these shifts, including security, data storage and display technologies.

I am starting by looking at some of the areas that Samsung discussed at the Gartner Symposium earlier this month: how enterprises can most effectively move to a mobile first strategy and some of the security and other challenges that presents.
Not mobile first, mobile normal
It’s hard to argue with a mobile-first strategy in 2015, but isn’t it time to go further? The word “mobile” is soon going to be one of the words in the famous Fresh Fish Sold Here story. A product named something like “Secure Mobile Enterprise System” from vendor X has the same problem in 2015. Of course your product is secure, it’s for a business, it’s some sort of system, and – because it is today – how could it exist if it is not mobile?
We have often talked about “mobile normal” as a new way for companies to think about their communications strategy. In a world where consumer apps, even thoseSamsung work chart which are not “mobile-only,” are routinely seeing more than 70% usage on mobile devices, it is increasingly clear that mobile is the way information is consumed, and content created. It has been exciting to watch the introduction of mobile into the workforce at scale – from the first Windows Mobile devices, Blackberries delivering mobile email to initial BYOD strategies (driven in many cases by workers wanting to use their personal smartphones for work email), and the introduction of tablets into the work force. Perhaps reflecting this, we are close to 50% of employees working outside a traditional “head office” even during the 8 hour work day, never mind how much work happens outside that time.
This needs to come with an important mind shift. Mobile, when part of a secure cloud environment- pushing data and intelligent capabilities to workers wherever they are- is not a for-purpose tool, it’s the everything tool. It used to be that you could think of a mobile solution as solving a point problem, now it is the default experience. This comes at several costs, and one, that of security, is starting to loom larger in mobility strategies.
Security and management
Enterprise mobile security has come a long way from a time when Blackberry essentially ran the world’s mobile email from nuclear bunker-level secure data centers in Waterloo, Canada. As Galaxy S2s and iPhones started appearing in businesses, BYOD was the next challenge, but these were still essentially seen as device level challenges. As a full suite of enterprise capabilities hits the mobile how does a CSO manage multi-end point Sign-On and Access Control, what happens if you need to integrate with a third party mobile app on multiple different devices and mobile platforms? Nothing is calculated to more quickly disrupt the beauty and elegance of the mobile experience (well described here by a former colleague from Nokia) than a clumsy, after-the-fact security layer.
While most won’t get to a perfect world, starting from the point of building secure into applications, rather than trying to secure after the fact has a higher likelihood of success. That comes from having a well thought through BYOD, device strategy, and ideally the right application development platform and partners in place.
If we can secure this, what are the applications delivering the mobile-normal experiences?
How are we moving beyond dashboards?
It has been a little frustrating watching enterprise mobility to see how far we have not come in terms of delivering real “applications,” rather than dashboards and visualizations. For far too long the typical demo of a mobile system was some sort of sales dashboard. That’s great as far as it goes, but doesn’t integrate mobile into work flow, it makes it a display at the end of that.
In a recent Gigaom discussion, Larry Hawes made a very relevant set of observations:
“The current mobile experience made up of numerous, functionally-focused applications … works well for consumers. In some cases, it can also be highly beneficial to workers who want to quickly accomplish a well-defined task in isolation. The challenge in the work environment (that makes it different from consumer computing) is in getting information to flow between applications.
“We typically use workflow technology to accomplish that … Yes [for example], Slack can use IFTTT to push information between integrated applications, but IFTTT isn’t considered an enterprise-ready technology by most IT professionals. Unfortunately, there is not [yet] an equivalent, lightweight enterprise workflow tool, so the IFTTT style of rules-based information flow can’t be easily replicated, with added enterprise features, in organizations today.”
The work that Samsung discussed with Red Hat at Symposium is focused on this challenge. One example is by focusing on APIs to allow businesses to think in terms of assembling apps in days vs engineering them in months. While there is still some way to go to get beyond visualizations, Salesforce’s mobile platform announcements at their Dreamforce in September point in the same direction.
As a closing thought in this initial post, the world has moved very quickly past PC-centric digitization to ubiquitous mobility, which assumes and requires secure data and connectivity. There is still a way to make sure businesses maximize their opportunity here. Increasingly the tools are available, and leading businesses are enabling their workforces to be as productive and connected as possible no matter where or when they chose to work.

Considering the security implications of CloudFlare’s partnership with Baidu

Earlier this year, Citizen Lab revealed an attack tool that redirected Internet traffic in mainland China to take down websites like GitHub or GreatFire. The tool was dubbed “the Great Cannon” because it appears to share locations with “the Great Firewall” that separates mainland China from the global Internet.
The Great Cannon was the first thing I thought about when news recently broke about CloudFlare’s partnership with Baidu. Both companies were touting their ability to reduce page loading times and make websites available to more people inside China, but nothing was said about how the tool might provide even more fodder for the Chinese government to load into its Great Cannon.
Matthew Prince, co-founder and chief executive of CloudFlare, was quick to address my concerns. “When we see attacks [like those caused by the Great Cannon] those are actually fairly easy attacks to stop,” he said. “Often, much larger and more destructive attacks come from using infected machines and botnets.”
The Great Cannon, in other words, isn’t the scariest thing out there. Prince added that CloudFlare’s partnership with Baidu might actually make it easier to defend Western sites from attack.
“I’m really excited that we’ll be better able to keep traffic inside China,” he told me. “Before, it was much harder to sinkhole traffic” coming from infected machines in the country. CloudFlare previously had to “largely overbuild” a West Coast facility to handle that traffic.
Others have taken a more pessimistic view of the partnership. FireEye’s chief security strategist, Richard Bejtlich, wrote an article for Motherboard about the problems Western companies might face because of the virtual joint venture. He argued that Baidu had enabled the Great Cannon with one of its tools; that sharing CloudFlare’s intellectual property could allow it to be undermined; and that Baidu or the Chinese government might just copy the company’s tech.
Prince dismissed the blog post as fear-mongering. Much of CloudFlare’s tech is already open-sourced, he said, and many companies could probably build a copycat by using the tools it has shared to its GitHub page. CloudFlare’s real value is said to come from the network it uses to thwart attacks and the data it gathers from the “more than 2 million web properties” with which it works.
“When US-China partnerships fail,” he said, “It’s often because some security guru and his lawyers say ‘We can’t trust you with anything.'” CloudFlare is said to have passed on many potential Chinese partners because it couldn’t trust them; sharing intellectual property is one way for CloudFlare to show that trust. He also said there’s “no evidence” Baidu was complicit with the Great Cannon.
Still, he said he hadn’t considered how speeding up Internet connections in China might indirectly assist the Chinese government. While things might not be as gloom as Bejtlich portrays them in his article, they might also not be as sunny as CloudFlare is depicting them. There’s a giant question mark here, and that’s unsettling, given just how problematic China’s Great Cannon might be.

Good BlackBerry Picking: BlackBerry Acquires Good Technology

BlackBerry Limited (NASDAQ: BBRY; TSX: BB) announced this morning that it has entered into a definitive agreement to acquire Good Technology for $425 million in cash. This move immediately strengthens the reinvented BlackBerry’s position as a provider of cross-platform mobile security services for enterprises. For Good, this acquisition was a logical, inevitable exit.


Back in the early days of enterprise mobility, BlackBerry ruled the market with its BlackBerry Enterprise Server (BES) and BlackBerry Messenger (BBM) offerings. However, those products were tied to the company’s hardware offerings. When BlackBerry’s share of the mobile phone market plummeted after the introduction of the iPhone and Android-based handsets, demand for BES and BBM also took a big hit, despite their technical strength.
Recently, BlackBerry has been reinventing itself as a provider of cross-platform mobile security services for enterprises. While the company has demonstrated some success in executing on that position, the market has remained skeptical. As Fortune’s Jeff Reeve’s pointed out this morning, BlackBerry is unprofitable with a lot of negativity priced into its stock. The company is currently valued at less than 1.3 times next year’s sales and only slightly above the cash on its books.
Clearly, BlackBerry needed to do something to bolster the credibility of its strategic market positioning. Today’s acquisition of Good Technology immediately strengthens both BlackBerry’s technical ability and street cred as a provider of cross-platform mobile security services for enterprises. Good’s portfolio of Enterprise Mobility Management (EMM) offerings was one of the best available and highly complementary to BlackBerry’s, as noted in the latter’s press release:

“Good has expertise in multi-OS management with 64 percent of activations from iOS devices, followed by a broad Android and Windows customer base. This experience combined with BlackBerry’s strength in BlackBerry 10 and Android management – including Samsung KNOX-enabled devices – will provide customers with increased choice for securely deploying any leading operating system in their organization.”

For Good Technology, this acquisition was a logical, if not inevitable, exit. As I wrote in A market overview of the mobile content management landscape  (summary only; subscription required for full text) just over a year ago,

“Many platform vendors have already acquired MDM and MAM capabilities, so the viability of the numerous, remaining pure-play vendors of those technologies looks increasingly dim. Instead, future acquisitions by platform vendors are more likely to echo VMware’s recent (January 2014) purchase of AirWatch and its well-rounded suite of EMM technologies. MobileIron launched a successful IPO earlier this month and looks to remain independent for the time being. Good Technologies recently filed its own IPO registration paperwork but could be acquired either before or after the actual IPO.”

And so it is. MobileIron remains the last major independent EMM vendor standing and Good has been acquired. It seems that Good really had little choice. They were $24 million in debt when their filed their S-1 (16 months ago) and never completed the intended IPO. It is very likely that they continued to lose money since then. According to CrunchBase, Good had taken on an undisclosed amount of secondary market funding a month after the S-1 filing and received an $80M private equity investment in September, 2014.  It’s highly likely that a combination of slowing revenue growth and a non-existent road to profitability led Good’s management and investors to take BlackBerry’s acquisition offer.
The looming question is will its newly-expanded portfolio of enterprise mobile security capabilities be enough for BlackBerry to accelerate its turnaround? Investors are reacting positively to the news. BlackBerry’s stock is currently up 1.54% while the broader NASDAQ is down -1.04%. Of course, only time will tell. Success will depend on how quickly BlackBerry can integrate Good’s technology into its own and how well they can sell the combined platform.

What the Ashley Madison hack could mean for national security

The release of information stolen from Ashley Madison, a site devoted to helping married individuals cheat on their spouses, could harm many people. But there is one group in particular — members of the military — that might suffer more than their civilian counterparts if they’re implicated by the data dump.
An estimated 32 million Ashley Madison users were affected by the company’s hacking. Their email addresses, partial credit card information, and IP addresses were revealed over the weekend. For most people, the release of this data could be a problem. But for military members, being outed as adulterers could ruin their lives.
The Uniform Code of Military Justice is explicit about its stance on cheaters: they should be punished. Adultery itself rarely leads to a court-martial, but the charge is often added to other accusations against a serviceperson to increase their punishment, and could lead to much more severe disciplinary actions.
How severe? Well, adulterers could be punished with a year in confinement and a dishonorable discharge, which would lead them to lose all veteran benefits. Some, like former President George W. Bush, have advised against taking all adulterers to the court-martial. But still, the rule remains a part of the UCMJ.
It’s possible that many of the military email addresses used to sign up for Ashley Madison were fake. The company didn’t verify all account information, and someone might have used a fake email address to avoid a spouse’s ire, although that seems like a bit of a stretch. But given the other information available — including location data and the last four digits of customers’ credit cards — it doesn’t seem hard to identify personnel.
And this isn’t just a problem for the members of the military themselves. If the data wasn’t made public and was instead used for the hackers’ personal gain, holding this information over the head of someone in the military could have led to blackmail. That’s one of the main fears of any major security breach.
Just look at the breach at Anthem, the nation’s second-largest health insurer. One of the primary concerns was that whoever hacked the company had access to data that could inform phishing attacks against the military or government. (Anthem later said the hackers receiving such information was highly unlikely.)
Imagine if someone combined information from the two sources. You know who someone is, where they live, and that they joined a site to help them cheat. Would it really be that hard to come up with a phishing attack, or a compelling bit of blackmail, which could lead that person to making some kind of mistake?
Then there is the “potential for an attacker to reuse the stolen credentials on other Internet services or even government systems,” says Marcus J. Carey, chief technical officer of vThreat, a company that facilitates network attack simulations for enterprise networks. Should the AM data be used to eventually gain access to popular social networks, it could lead to a more long-term security threat to national security — leading military or federal workers to lose clearances, according to Carey.

“Something like Facebook or Twitter could be used to send people to malicious sites. Other federal employees would trust links from other people they know and follow online. Huge phishing potential for federal and military personnel,” Carey told me.

It’s easy to make jokes about Ashley Madison users deserving to be revealed, or how the company might pivot to become a dating service for recent divorcées (Zing!). But underneath that dubious moral posturing lies a serious warning about how stolen data from any large website could be more dangerous than you’d think.
Still, it’s hard not to ask one facetious question: Why would people with so much to lose attach their Ashley Madison accounts to their work email? Carey can answer that, too.
“There is a popular saying in the cybersecurity world,” he says. “There is no patch for stupid. People are always the weakest link.”
Carey’s point about people being the weakest link in any security system might be troublesome for another reason: the potential that anyone affected by this hack used the same password across multiple sites. (Microsoft researchers said in 2014 that many people are unable to remember long, unique, complex passwords, so they often repeat them across multiple sites or use less-secure options.)
This might not be a huge concern, since Ashley Madison did use a decent encryption for passwords, as Quartz points out. Yet, dedicating all efforts to crack a particular account’s encryption is very possible. And depending on the person and the nature of their private online discussions, that could mean a lot of sensitive information could eventually slip into the wrong hands.
“When the OPM hack of government employees’ data occurred so close to the Ashley Madison hack pundits were quick to point out the possibility of applying big data analytics to a combined data set,” security industry analyst Richard Stiennon told Gigaom. “Now that the data has been dumped, it would be trivial to match up the records from OPM with anyone who works in government or has a security clearance and was also foolish enough to use their real name and email address on Ashley Madison.
“Of course journalists and researchers are all busy doing this today so those victims already have a problem,” he adds.
That’s more than a bit scary — not to mention that it may also increase the odds that hackers will attempt to use blackmail as a tactic to get what they want, according to Stiennon.
But there is one potential upside: Perhaps now people will take their privacy a little more seriously.
Ashley Madison’s breach is “Going to have a big impact on this sort of behavior in the future,” Stiennon said. “That is the upside of breaches. Nobody takes security seriously until they have been personally impacted.” Maybe now some of the country’s most valuable targets will be just a little bit more cautious.

Google takes first steps toward finer-grained access in Google Drive

Google Drive has provided a simple but powerful model for file sharing. The creator of a file can invite others to share it, as readers (read-only access), commenters (read and comment access) or editors (read, comment, and edit access). But this opens the door to all sorts of issues, like being able to make a copy of a read-only document, in which case all bets are off.
Google has taken a big step forward in access control by allowing creators to limit the sorts of things other may do with shared files. Here you see the new controls at the lower right under ‘owner settings’.
Screenshot 2015-07-15 11.55.52
Owners can block other editors from changing access or inviting new users to access the file, and also they now can block downloading, print, and copy of the file for commenters and readers.
There is still apparently a backdoor, in that this phase of Google Drive Information Rights Management (IRM) can’t block users from taking a screenshot, or manually copying what’s in the document, as Emil Protalinski points out. The former can be controlled, but it will require a more elaborate system that can block operating system capabilities. These are the sorts of technology that extremely secure file sync-and-share solutions implement, like Intralinks and ShareFile. Google could be headed in that direction. But at the least, this is a first order degree of protection that will minimize confidential information’s mishandling.

Germany pushes for widespread end-to-end email encryption

The biggest webmail providers in Germany will soon encourage their customers to use full-blown end-to-end email encryption. The providers, including Deutsche Telekom and United Internet, will next month roll out a browser plugin that’s supposed to make traditionally laborious PGP technology easier to use – and in the process, they’re addressing a key concern about the existing “De-Mail” system.

The De-Mail initiative dates back to 2011, when the German government decided to push for trusted email both as an e-government tool and as a way to cut down on official and corporate paper mail. De-Mail addresses are provided by the likes of Deutsche Telekom and United Internet’s Web.de, and those signing up for them need to show a form of official identification to do so. Receiving emails on a De-Mail address is free but sending them costs money.

In 2013, shortly after Edward Snowden’s leaks started causing conniptions in Berlin, the providers announced that they would start encrypting emails traveling between their various servers – something they should really have been doing anyway. However, emails sent through the system are still scanned for viruses, using a system designed by the German Office for Information Security (BSI), before they are sent to the recipient.

The new end-to-end encryption system will be more secure than that, leaving anyone other than the sender and the recipient unable to inspect what is being sent. From April, De-Mail users will be able to download a plugin for Chrome or Firefox that will supposedly make PGP easy to use, which is no mean feat. United Internet developed the plugin in conjunction with the open-source Mailvelope OpenPGP project and its code will be published, so suspicious developers and hackers will be able to check it for backdoors. The keys will be stored on the customer’s device.

If it all works as promised, this might prove a significant boost for the De-Mail initiative. A recent report showed lackluster take-up for De-Mail among citizens, largely because of the friction involved in registering an address. To that end, the providers also announced on Monday that they’re keen to use online bank accounts as a suitable form of identification – after all, you need ID to set one of those up in Germany, so the verification is already done there. According to a Deutsche Telekom spokesman, the BSI is currently reviewing this proposal.

The De-Mail PGP push appears to have the full support of the German government, providing a notable contrast with the stance of authorities in the U.S. and U.K., who oppose end-to-end encryption because they want their law enforcement and intelligence agencies to be able to more easily read people’s communications. In a statement, interior minister Thomas De Maizière said encryption was an important requirement for Germany’s desire to take the lead in the provision of digital services. He said the new plugins would provide “mass-market-suitable” end-to-end encryption for a variety of different use cases and security requirements.

Various government departments and local authorities are moving over to De-Mail – the Federal Employment Agency started using it for communicating with citizens last month, and the cities of Dresden and Cologne are doing the same. It’s not yet clear whether these authorities will use PGP for those emails, though a United Internet spokesman suggested to me that they will be encouraged to do so.

Email does always leak metadata and we are of course talking about ID-verified email addresses that will be able to show with great certainty that X was talking to Y. However, if this scheme works out it will be a huge boost in getting ordinary people to use what is still very much a niche technology, and once they’re comfortable with it they may start using PGP with regular, possibly anonymous email addresses for added privacy.

Google is also working on an end-to-end encryption plugin for its Gmail service, but that effort is still in the alpha stage and probably some way off from being ready for the mass market.

This article was updated at 5.40am PT with a reference to the cost of using De-Mail.

As FTC adds encryption to its website, government remains unsure on corporate use

The Federal Trade Commission’s website just got a whole lot safer for people to peruse after the government agency said Friday that it now supports HTTPS encryption. While it used to provide secure transport for the parts of the website that dealt with sensitive information like complaint data and email subscriptions, this is the first time that secure browsing covers the entire site, the FTC said.

When a website is secured through the HTTPS communication protocol, all data passed between the site and the person who is accessing it will be encrypted through the use of either the SSL or TLS encryption protocols. Basically, the person’s browser initiates communication with the locked-down website and through the exchanging of encryption keys, all information should be scrambled from prying eyes.

In theory, this process works fine, but as the latest FREAK bug demonstrates, there can be some holes in the system, especially if the browsers or devices in questions use ineffective security protocols to speak to websites. In the case of FREAK, Android browsers using the OpenSSL protocol, Safari browsers using the Apple TLS/SSL protocol and now all supported versions of Windows that use the Schannel security package (sorry IE users) are vulnerable to hackers who can essentially weaken the encryption that takes place.

Still, many sites use HTTPS as it is one of the most common tools to prevent eavesdroppers from snooping into website sessions. In the case of the FTC, it may seem like a no-brainer to add encryption, but the U.S. government hasn’t always showed support with encryption technology, especially when it comes to tech companies and mobile-device makers who use the tech to mask data.

Both the U.S. and U.K. governments have made it clear they feel that companies using encrypted communications can impede government investigations and even the Chinese government has jumped on the bandwagon with a proposed law that would require tech companies to hand over their encryption keys.

Ironically, a leaked U.S. report on cyber threats explained that encryption technology is the “[b]est defense to protect data,” which shows that the U.S. government hasn’t quite made up its mind on where it sees encryption technology. If it protects consumers from spying eyes as in the case of the FTC website, then that’s great, but if the government perceives that the technology may prevent it from doing its job, it’s a no-go.

Either way, the corporate sector shows no signs of slowing down when it comes to developing new businesses around encryptions, with recent funding rounds for encryption-centric startups like CipherCloud and Ionic Security.

The U.S. government, as well, still has a long way to go. Many .gov domains like whitehouse.gov, the U.S. Department of Education, the U.S. Department of the Treasure and NASA’s website remain unencrypted. So expect this tug-of-war between the need to protect and the government’s need to scan encrypted company data in the case of investigations to continue.

Windows users are also vulnerable to FREAK snooping attacks

The “FREAK” vulnerability that downgrades and weakens secure web connections doesn’t just affect Google and Apple users — according to a security advisory from Microsoft, all supported versions of Windows are vulnerable too.

FREAK (Factoring attack on RSA-EXPORT Keys) is a recently discovered hangover from the early 90s, when the U.S. government banned the export of most software that used strong encryption. The SSL web security protocol was for that reason built with a special mode that uses key lengths considered weak today. The law was changed but the weak cipher suites remain, and although most modern browsers are supposed to avoid them like the plague, a widespread bug means they don’t always do that.

The FREAK flaw allows “man-in-the-middle” snoopers to downgrade a session’s security to that mode – as long as the browser is vulnerable and the server accepts those weak old cipher suites — then crack the keys and spy away.

When the flaw was publicized earlier this week, it was Apple’s Safari browser and the stock Android browser that were on the firing line for being vulnerable, endangering those users who communicate with servers that accept “export-grade” encryption – apparently a whopping third of servers with browser-trusted certificates. But it turns out the list of affected browsers and systems is way longer than that.

The big one is Windows. In pretty much every version of Windows that’s out there, Internet Explorer and whatever else uses the Schannel security package are vulnerable to the FREAK attack.

In its advisory, Microsoft said:

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Per the researchers who brought this all to our attention, here’s the current list of browsers that need patching:

  • Internet Explorer
  • Chrome on OS X (patch available)
  • Chrome on Android
  • Safari on OS X (patch expected next week)
  • Safari on iOS (patch expected next week)
  • Stock Android browser
  • BlackBerry browser
  • Opera on OS X
  • Opera on Linux

As a Firefox user, I’m feeling slightly smug this week — the researchers’ FREAK test tool just gave my browser a clean bill of health, and told me my never-used IE installation is vulnerable. Not too smug though, given the impact on other Windows software.

Good thing the anti-strong-encryption nonsense that caused this mess is a relic of past decades, eh? Oh wait…

Decade-old FREAK bug leaves Google and Apple device users vulnerable

A team of security researchers unearthed a decade-old vulnerability called the FREAK (Factoring attack on RSA-EXPORT Keys) attack, which impacts Google and Apple device users who may have visited websites, including Whitehouse.gov and NSA.gov, according to a Washington Post report. One of the researchers who spotted the vulnerability told the Post that “Of the 14 million Web sites worldwide that offer encryption, more than 5 million remained vulnerable as of Tuesday morning.”

According to Matthew Green, a cryptographer and research professor at Johns Hopkins University who has been looking into the flaw, the security researchers found serious vulnerabilities in the security protocols used by the Safari browser and the browser found in Android devices. These protocols are used to encrypt data through secure network connections between websites and browsers.

Even though the Android browser in question uses the OpenSSL protocol and Safari uses the Apple TLS/SSL protocols, both protocols are similarly affected and a hacker taking advantage of the bug can “downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA,” Green wrote. This basically means that a hacker can infiltrate the connection between the browsers and websites and weaken the encryption that occurs. When this happens, a hacker can supposedly decrypt the data and obtain the information that was supposed to be secure.

While the bug clearly affects a lot of users, Forbes is reporting that actually pulling off the hack requires a lot of work, and it’s more likely that hackers would attempt another kind of attack.

From Forbes:
[blockquote person=”Forbes” attribution=”Forbes”]This all sounds scary, but in reality, there are easier attack methods for snoops or criminals to spy on your online lives. For starters, a FREAKy hacker will have to find a target using a vulnerable PC, phone or tablet, and hope they use the affected sites. They’ll also have to be on the same network, though the NSA, GCHQ and myriad other intelligence agencies have access to much of the world’s internet, so would easily be able to carry out such an attack, as long as the other criteria were met.[/blockquote]

What’s interesting is that the reason why there is weaker encryption in the first place has to do with U.S. government policy “that once forbid the export of strong encryption” and instead called for products shipped to other countries to come equipped with weak encryption, the Post reported. Although the policy is supposedly no longer in effect, the damage has been done and “weaker encryption got baked into widely used software that proliferated around the world and back into the United States.”

While Google’s Chrome browser is not affected by the vulnerability, the browser found in the majority of Android devices are, and an Apple spokeswoman told the Post that the company will be issuing a security patch that should fix both Apple computers and mobile devices.

Encryption has been a hot topic as of late as China just unveiled a new counterterrorism law that would require tech companies to hand over their encryption keys if the Chinese government calls for it. Both the U.S. and the U.K. have also let it be known that encryption hampers a government’s ability to perform investigations and if companies use the tech, they should be prepared to turn over the encryption keys.