Wednesday, 31 July 2013

((URGENT)) MASTER KEY ATTEMPTS #NSA #FBI



Frost & Sullivan: Digital Certificates Cornerstone to Secure Data Transfer - Video by tvnportal
"Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers that connects, via a secure channelover an insecure network, a server and a client (running SSH server and SSH client programs, respectively).[1] The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2.

The best-known application of the protocol is for access to shell accounts on Unix-like operating systems, but it can also be used in a similar fashion for accounts on Windows. It was designed as a replacement for Telnet and other insecure remote shellprotocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.[2] The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet."


Persistent SSH Tunnels for Windows and Linux, Local vs Remote Forwards and More - Hak5 by Hak5

Nice to see this issue finally coming into view, having had a Man-in-The-Middle on the line, almost permanently, inclduing on my banking connection (picked up by Barclays Bank in the UK, as well as myself).  In my view, some companies have DEFINITELY succumbed to the pressure.

"The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping.

These demands for master encryption keys, which have not been disclosed previously, represent a technological escalation in the clandestine methods that the FBI and the National Security Agency employ when conducting electronic surveillance against Internet users.

If the government obtains a company's master encryption key, agents could decrypt the contents of communications intercepted through a wiretap or by invoking the potent surveillance authorities of the Foreign Intelligence Surveillance Act. Web encryption -- which often appears in a browser with a HTTPS lock icon when enabled -- uses a technique called SSL, or Secure Sockets Layer.

"The government is definitely demanding SSL keys from providers," said one person who has responded to government attempts to obtain encryption keys. The source spoke with CNET on condition of anonymity.

The person said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits, but voiced concern that smaller companies without well-staffed legal departments might be less willing to put up a fight. "I believe the government is beating up on the little guys," the person said. "The government's view is that anything we can think of, we can compel you to do."

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would turn over a master key used for Web encryption or server-to-server e-mail encryption, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for encryption keys. But a spokesperson said the company has "never handed over keys" to the government, and that it carefully reviews each and every request. "We're sticklers for details -- frequently pushing back when the requests appear to be fishing expeditions or don't follow the correct process," the spokesperson said.

Sarah Feinberg, a spokeswoman for Facebook, said that her employer has not received requests for encryption keys from the U.S. government or other governments. In response to a question about divulging encryption keys, Feinberg said: "We have not, and we would fight aggressively against any request for such information."

Apple, Yahoo, AOL, Verizon, AT&T, Time Warner Cable, and Comcast declined to respond to queries about whether they would divulge encryption keys to government agencies.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said: "Our interpretation is that we are prohibited by law from releasing our SSL key. In the event that we received such a request, we would refuse, for both legal and ethical reasons." Releasing the SSL key would be nearly "equivalent to allowing interception on all our users, which is clearly illegal," Lovejoy said. "

Continues.

How to avoid this issue.  Easy, only TRUST SSL certs that are SELF-SIGNED, and by someone, you personally trust to keep the private key secure, ALONG WITH *not* succumbing to bullying from govt!  Nothing else can protect you from this attack; fact!

Bonus


SSH Public Key Fingerprints, Windows SSH Servers and Linux Key Pair Exchange - Hak5 by Hak5




Click To Subscribe in a Reader   

Free Content For Your Website Totally Free!

Welcome! :)


How to Setup Two Factor Authentication in Backtrack Linux - Hak5 by Hak5Source:

http://news.cnet.com/8301-13578_3-57595202-38/feds-put-heat-on-web-firms-for-master-encryption-keys/

Further research/software etc:

No comments :

Post a Comment

Only members (obviously) can comment; no moderation; direct to page.

Note: only a member of this blog may post a comment.

Popular Posts - All Time