Samsung and South Korean telecom giant SK Telecom have debuted the Galaxy A Quantum 5G smartphone, sporting a quantum random number generation (RNG) chipset. It's the first commercialization of quantum technology for mobile phones, and it will serve as a significant bellwether for full quantum encryption's chances of going mainstream. Threatpost reports: Quantum encryption in general has been touted as being "unhackable" because it generates random numbers and secure keys that cannot be predicted, via particles that can't be intercepted, eavesdropped upon or spoofed. The very laws of physics themselves prevent successful cracking, the theory goes. However, researchers have proven more than once that this isn't the case -- though hacks so far have required sustained physical access to a device.

In any event, the Samsung phone will provide an interesting test case for the technology -- though details are scant in terms of how the chipset actually works. The Galaxy will use quantum security in a few different scenarios, according to an SK press release (translated with Google Translate). These include logging into carrier accounts on the device; securely storing personal documents via a blockchain-enabled "Quantum Wallet" and for biometric-based mobile payments at retail stores. Online payment protection is also on the roadmap. SK Telecom also plans to roll out open APIs for developers to begin incorporating the technology on an OEM and application basis.

An anonymous reader quotes a report from Paul Thurrott: With the new build of Windows 10 [19628], Microsoft is starting to test DNS over HTTPS. The new build comes with Microsoft's initial support for DNS over HTTPS on Windows, and Insiders will have to manually enable the new feature. If you would like to enable DNS over HTTPS in Windows 10, you will have to first install the latest Insider build. After that, you will have to go into the registry and tweak an entry to first enable the new DNS over HTTPS client, and then update the DNS servers your computer is using. It's not as easy as ticking a checkbox, but Microsoft has shared the instructions to enable the feature in detail, so make sure to check it out here. What is DNS over HTTPS and why is it important? "DNS, to put simply, is the process where an easy-to-read and write domain address is translated into an actual IP address for where a web resource is located," writes Thurrott. "Although most websites already use HTTPS for added privacy, your computer is still making DNS requests and resolving addresses without any encryption. With DNS over HTTPS, your device will perform all the required DNS requests over a secured HTTPS connection, which improves security thanks to the encrypted connection."

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. From a report: Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains. The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product. In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that's increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.

Christopher Wray, the FBI director who has been one of the fiercest critics of encryption under the Trump administration, previously worked as a lawyer for WhatsApp, where he defended the practice, according to new court filings. From a report: The documents, which were released late on Wednesday night as part of an unrelated matter, show Wray worked for WhatsApp in 2015 while he was an attorney for the Washington law firm of King & Spalding. While there are sparse details about the precise nature of the work, the filings indicate that Wray strongly defended the need for end-to-end encryption in his previous representation of WhatsApp, the popular messaging application owned by Facebook. Wray's earlier work -- which has not previously been public -- contradicts his current position on encryption, which protects users' communications and other data from being read by outsiders. The Trump administration and major technology companies like Facebook have been at odds over the need to offer customers encryption services, with the White House and law enforcement officials arguing the technology represents a security risk by protecting the communication of terrorists and criminals.

The US National Security Agency (NSA) published last week a security assessment of today's most popular video conferencing, text chatting, and collaboration tools. From a report: The guidance contains a list of security criteria that the NSA hopes companies take into consideration when selecting which telework tool/service they want to deploy in their environments. The NSA document is not only meant for US government and military entities but the private sector as well. The idea behind the NSA's initiative is to give military, public, and private organizations an overview of all of a tools' features, so IT staff don't make wrong decisions, expecting that a tool provides certain features that are not actually living up to the reality. Per the NSA's document, the assessed criteria answers to basic questions like:

Does the service implement end-to-end (E2E) encryption?
Does the E2E encryption use strong, well-known, testable encryption standards?
Is multi-factor authentication (MFA) available?
Can users see and control who connects to collaboration sessions?
Does the tool's vendor share data with third parties or affiliates?
Do users have the ability to securely delete data from the service and its repositories as needed (both on client and server-side)?
Is the tool's source code public (e.g. open source)?
Is the service FedRAMP approved for official US government use?

Google has announced the general availability of a long-awaited feature -- the ability to manage Windows 10 devices through G Suite. From a report: Until today, companies that used G Suite to manage corporate endpoints could only enroll Android, iOS, Chrome, and Jamboard devices. Once enrolled in a G Suite enterprise plan, system administrators at these companies would have full control over the enrolled devices, to ensure that company data was safeguarded from sloppy employees. G Suite admins could enforce security policies related to login operations, file storage, encryption, and other features. Starting this week, the same features are now also available for working with Windows 10 devices, Google announced in a blog post. These include the ability to, among other things: Log into Windows 10 systems using a Google account, control Windows 10 update rules, and change Windows 10 settings remotely.

An anonymous reader quotes a report from The Verge: On Friday, Apple and Google revised their ambitious automatic contact-tracing proposal, just two weeks after the system was first announced. An Apple representative said the changes were the result of feedback both companies had received about the specifications and how they might be improved. The companies also released a "Frequently Asked Questions" page, which rehashes much of the information already made public. On a call accompanying the announcement, representatives from each company pledged for the first time to disable the service after the outbreak had been sufficiently contained. Such a decision would have to be made on a region-by-region basis, and it's unclear how public health authorities would reach such a determination. However, the engineers stated definitively that the APIs were not intended to be maintained indefinitely.

Under the new encryption specification, daily tracing keys will now be randomly generated rather than mathematically derived from a user's private key. Crucially, the daily tracing key is shared with the central database if a user decides to report their positive diagnosis. As part of the change, the daily key is now referred to as the "temporary tracing key," and the long-term tracing key included in the original specification is no longer present. The new encryption specification also establishes specific protections around the metadata associated with the system's Bluetooth transmissions. Along with the random codes, devices will also broadcast their base power level (used in calculating proximity) and which version of the tool they are running. The companies are also changing the language they use to describe the project. The protocols were initially announced as a contact-tracing system, it is now referred to as an "exposure notification" system. The companies say the name change reflects that the new system should be "in service of broader contact tracing efforts by public health authorities."

One of the largest VPN companies, NordVPN, is rolling out NordLynx -- it's first mainstream WireGuard virtual private network for its Windows, Mac, Android and iOS client-software applications. ZDNet reports: NordVPN's own tests have shown NordLynx easily outperforms the other protocols, IKEv2/IPsec and OpenVPN. How much faster? According to NordVPN's 256,886 speed tests, "When a user connects to a nearby VPN server and downloads content that's served from a content delivery network (CDN) within a few thousand miles/kilometers, they can expect up to twice higher download and upload speed." While speed is what customers will notice, security experts like WireGuard for its code's simplicity. With only about 4,000 lines of code, WireGuard's code can be comprehensively reviewed by a single individual.

Besides WireGuard, NordVPN adds in its double Network Address Translation (NAT) system to protect users' privacy. This enables users to establish a secure VPN connection while storing no identifiable user data on a server. You're assigned a dynamic local IP address that remains assigned only while the session is active. User authentication is done with the help of a secure external database. To switch to NordLynx, users need to update their NordVPN app to the latest version. The NordLynx protocol can be chosen manually from the Settings menu.

As cities across the United States continue shelter-in-place orders due to the COVID-19 pandemic, some in-person court proceedings are now taking place over Zoom. "It's an unprecedented moment for the justice system, which is typically slow to adapt to new technology," writes Zoe Schiffer from The Verge. "No one is sure if that's a good thing." From the report: Critics worry the change has made it more difficult for the public to access court proceedings. Court watchers -- volunteers who monitor hearings to hold judges and prosecutors accountable -- say their access has evaporated during the pandemic. There's also concern that remote hearings can unfairly advantage fancy law firms that can pay for good lighting and stable internet connections. Zoom has also had major security flaws, including default settings that didn't include meeting passwords (a problem the company has now fixed) and a misleading definition of end-to-end encryption. (The company claimed meetings were end-to-end encrypted; they are not.) But supporters say going online is critical for protecting public health. For those in detention, postponing a hearing means potentially spending more time in jail, while appearing in person could put the individual and those around them at risk.

[Judge Vince Chhabria said] that while conducting remote trials makes sense during the pandemic, he's wary of extending this beyond the crisis. "So much of trying a case from the lawyers' perspective is having a feel for the courtroom and for the people in the courtroom and what is interesting to them," he says. "So much of presiding over a trial, as a judge, has to do with feel. I think it would be unfortunate if the new normal became too reliant on remote proceedings." His concern is echoed by Alan Rupe, [employment lawyer at Lewis Brisbois]. "A lot of what I do involves witness credibility," he says. "When you're assessing someone's credibility you have to be in the same room as them."

According to the Financial Times, U.S. senators have been advised not to use videoconferencing platform Zoom over security concerns. From a report: According to three people briefed on the matter, the Senate sergeant-at-arms -- whose job it is to run law enforcement and security on the Capitol -- told senators to find alternative methods for remote working, although he did not implement an outright ban. With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported. The slew of privacy issues prompted Taiwan's government agencies to stop using the service. Google also banned Zoom from its employees' devices.

Signal is warning that an anti-encryption bill circulating in Congress could force the private messaging app to pull out of the U.S. market. PC Magazine reports: Since the start of the coronavirus pandemic, the free app, which offers end-to-end encryption, has seen a surge in traffic. But on Wednesday, the nonprofit behind the app published a blog post, raising the alarm around the EARN IT Act. "At a time when more people than ever are benefiting from these (encryption) protections, the EARN IT bill proposed by the Senate Judiciary Committee threatens to put them at risk," Signal developer Joshua Lund wrote in the post. Although the goal of the legislation, which has bipartisan support, is to stamp out online child exploitation, it does so by letting the U..S government regulate how internet companies should combat the problem -- even if it means undermining the end-to-end encryption protecting your messages from snoops.

If the companies fail to do so, they risk losing legal immunity under Section 230 of the Communications Decency Act, which can shield them from lawsuits concerning objectionable or illegal content posted on their websites or apps. "Some large tech behemoths could hypothetically shoulder the enormous financial burden of handling hundreds of new lawsuits if they suddenly became responsible for the random things their users say, but it would not be possible for a small nonprofit like Signal to continue to operate within the United States," Lund wrote in the blog post.

Video conferencing company Zoom is being used by a shareholder over allegations of fraud and overstating the security protocols in place on its service. Gizmodo reports: In the lawsuit filed Tuesday in the U.S. District Court for the Northern District of California, plaintiff Michael Drieu -- on behalf of individuals who purchased Zoom securities after the company went public last year -- accuses the company of making "materially false and misleading statements" about its product and failing to disclose key information about the service. Namely, the suit cites Zoom as claiming that its product supported end-to-end encryption, when in fact it supports a different form of encryption called transport encryption -- as the Intercept reported last month -- that still allows Zoom to access data.

Additionally, the suit alleges that Zoom's security failures put users "eat an increased risk of having their personal information accessed by unauthorized parties, including Facebook," that these facts would necessarily result in a decline in users, and that the company's responses to ongoing reporting on myriad problems on the service were "misleading at all relevant times." The suit states that the fallout from these incidents was exacerbated by the covid-19 crisis, during which time users of the service jumped from just 10 million to 200 million in a matter of months as schools and organizations turned to Zoom amid social distancing measures and shelter-in-place orders. The suit cites documentation related to Zoom's IPO as evidence that the company misrepresented the security protocols in place for protecting users. Specifically, the suit states, Zoom said it offered "robust security capabilities, including end-to-end encryption, secure login, administrative controls and role-based access controls," and -- in what was clearly an embarrassing claim by the company -- that it strives "to live up to the trust our customers place in us by delivering a communications solution that "just works.'"

Taiwan's cabinet has told government agencies to stop using the Zoom conferencing app due to privacy and security woes. Reuters reports: Zoom's daily users ballooned to more than 200 million in March, as coronavirus-induced shutdowns forced employees to work from home and schools switched to the company's free app for conducting and coordinating online classes. However, the company is facing a backlash from users worried about the lack of end-to-end encryption of meeting sessions and "zoombombing," where uninvited guests crash into meetings. If government agencies must hold video conferencing, they "should not use products with security concerns, like Zoom," Taiwan's cabinet said in a statement on Tuesday. It did not elaborate on what the security concerns were. The island's education ministry later said it was banning the use of Zoom in schools.

Taiwan would be the first government formally advising against use of Zoom, although some U.S. schools districts are looking at putting limits on its use after an FBI warning last month. Taiwan's cabinet said domestically-made conferencing apps were preferred, but if needed products from Google and Microsoft could also be considered.

Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto. From a report: The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab -- widely followed in information security circles -- that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.

An anonymous reader shares a report: Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings. With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using "computer audio" instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption. Further reading: Regarding Zoom.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

Proton Technologies, the company behind encrypted email provider ProtonMail, has announced plans to circumvent censorship by routing connections to its servers through third-party infrastructure, which may include Google -- a company that ProtonMail has long been critical of over its privacy practices. From a report: Proton, which was founded out of Switzerland in 2013 by academic researchers working on particle physics projects at CERN, promises ProtonMail users full privacy via client-side encryption, meaning that nobody can intercept and read their emails -- it has frequently positioned itself as the antithesis of Gmail, which serves as a vital cog in Google's advertising wheel. ProtonMail, on the other hand, has emerged as a prominent privacy-focused alternative, used by companies and individuals -- including White House staffers and activists -- wishing to sidestep snoopers.

Thus, ProtonMail has faced its fair share of censorship, with the likes of Turkey, Belarus, and Russia all blocking the service in recent times. This is something that Proton is now pushing harder to counter with its new backup solution. The new tool, which will be deployed over the next few weeks in the ProtonMail desktop and mobile apps, is designed to sidestep any blocks imposed by network administrators, internet service providers (ISPs), or governments.

An anonymous reader quotes a report from ZDNet: According to new research published today, modern RAM cards are still vulnerable to Rowhammer attacks despite extensive mitigations that have been deployed by manufacturers over the past six years. These mitigations, collectively referred to as Target Row Refresh (TRR), are a combination of software and hardware fixes that have been slowly added to the design of modern RAM cards after 2014 when academics disclosed the first-ever Rowhammer attack. But in a new research paper titled today and titled "TRRespass: Exploiting the Many Sides of Target Row Refresh," a team of academics from universities in the Netherlands and Switzerland said they developed a generic tool named TRRespass that can be used to upgrade the old Rowhammer attacks to work on the new-and-improved TRR-protected RAM cards. The new upgraded attacks work on both DIMM and LPDDR4 memory types, and can be used to retrieve encryption keys from memory, or escalate an attacker's access right to sudo/SYSTEM-level.

An anonymous reader writes: According to new research published this week, modern RAM cards are still vulnerable to Rowhammer attacks despite extensive mitigations that have been deployed by manufacturers over the past six years. These mitigations, collectively referred to as Target Row Refresh (TRR), are a combination of software and hardware fixes that have been slowly added to the design of modern RAM cards after 2014 when academics disclosed the first-ever Rowhammer attack.

But in a new research paper titled today and titled "TRRespass: Exploiting the Many Sides of Target Row Refresh" a team of academics from universities in the Netherlands and Switzerland said they developed a generic tool named TRRespass that can be used to upgrade the old Rowhammer attacks to work on the new-and-improved TRR-protected RAM cards. The new upgraded attacks work on both DIMM and LPDDR4 memory types, and can be used to retrieve encryption keys from memory, or escalate an attacker's access right to sudo/SYSTEM-level.

A bipartisan pair of US senators on Thursday introduced long-rumored legislation known as the EARN IT Act. The bill is meant to combat child sexual exploitation online, but if passed, it could hurt encryption as we know it. Matthew Green, a cryptographer and professor at Johns Hopkins University, writes: Because the Department of Justice has largely failed in its mission to convince the public that tech firms should stop using end-to-end encryption, it's decided to try a different tack. Instead of demanding that tech firms provide access to messages only in serious criminal circumstances and with a warrant, the DoJ and backers in Congress have decided to leverage concern around the distribution of child pornography, also known as child sexual abuse material, or CSAM. [...] End-to-end encryption systems make CSAM scanning more challenging: this is because photo scanning systems are essentially a form of mass surveillance -- one that's deployed for a good cause -- and end-to-end encryption is explicitly designed to prevent mass surveillance. So photo scanning while also allowing encryption is a fundamentally hard problem, one that providers don't yet know how to solve.

All of this brings us to EARN IT. The new bill, out of Lindsey Graham's Judiciary committee, is designed to force providers to either solve the encryption-while-scanning problem, or stop using encryption entirely. And given that we don't yet know how to solve the problem -- and the techniques to do it are basically at the research stage of R&D -- it's likely that "stop using encryption" is really the preferred goal. EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct "best practices" for scanning their systems for CSAM. Since there are no "best practices" in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.