Lenovo caught with unremovable crapware

motherboard

Lenovo has sold laptops bundled with unremovable software that features a bonus exploitable security vulnerability.

If the crapware is deleted, or the hard drive wiped and Windows reinstalled from scratch, the laptop’s firmware will quietly and automatically reinstall Lenovo’s software on the next boot-up.

Built into the firmware on the laptops’ motherboard is a piece of code called the Lenovo Service Engine (LSE). If Windows is installed, the LSE is executed before the Microsoft operating system is launched.

The LSE makes sure C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.

Lenovo’s variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system’s system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.

LenovoCheck and LenovoUpdate are executed on startup with full administrator access. Automatically, and rather rudely, they connect to the internet to download and install drivers, a system “optimizer”, and whatever else Lenovo wants on your computer. Lenovo’s software also phones home to the Chinese giant details of the running system.

To pull this off, the LSE exploits Microsoft’s Windows Platform Binary Table (WPBT) feature. This allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware.

The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.

“During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states.

“The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”

Crucially, the WPBT documentation stresses:

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.

After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft’s security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.

Lenovo has also pulled the LSE from new desktop machines. Incredibly, Lenovo was shipping desktop PCs that feature the LSE in their firmware. These models phone home system data, but do not install any extra software, and do not suffer from the aforementioned privilege-escalation vulnerability. The PC maker’s laptops definitely do, however.

A tool quietly released on July 31 will uninstall the engine if it is present in your machine: it is available here for notebooks, and available here for desktops.

On Tuesday this week, Lenovo published a full list of affected desktop and notebook models. Desktop machines built between October 23, 2014 and April 10, 2015, with Windows 8 preinstalled, have the LSE inside them.

“Lenovo Service Engine (LSE) is a utility in the BIOS that helps users download a program called OneKey Optimizer on certain Lenovo Notebook systems. The utility also sends non-personally identifiable system data to Lenovo servers,” the Chinese goliath explained. “Lenovo, Microsoft and an independent researcher have discovered possible ways this program could be exploited by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server.”

LSE uses the Microsoft Windows Platform Binary Table (WPBT) capability. Microsoft has recently released updated security guidelines on how to best implement this feature. Lenovo’s use of LSE was not consistent with these guidelines and Lenovo recommends customers disable this utility by running a disabler program that disables LSE and removes the LSE files from the system.

The LSE functionality has been removed from newly manufactured systems.

Without this climbdown, it would have been virtually impossible for users to remove the rootkit-like engine from the firmware. El Reg hopes other manufacturers aren’t doing the same with the WPBT.

Suffice to say, netizens who have discovered this creepy code on their machines are not happy.

“I had this happen to me a few weeks ago, on a new Lenovo laptop, doing a clean install with a new SSD, Windows 8 DVD and Wi-Fi turned off,” a Hacker News user called chuckup said on Tuesday, on noticing Lenovo’s bundleware suddenly appearing on his or her new computer.

“I couldn’t understand how a Lenovo service was installed and running. Delete the file and it reappears on reboot. I’ve never seen anything like this before. Something to think about before buying Lenovo.”

What is worrying is that all of this is pretty much what Microsoft intended. Its WPBT is engineered to allow manufacturers to painlessly inject drivers and programs into the operating system. It’s supposed to be used for things like anti-theft tools, so a system can be disabled via the internet if it’s stolen.

But it also turns rootkit development and installation into a painting-by-the-numbers exercise. Lenovo got caught because its engine had crap security. And it sounds as though Microsoft pressured Lenovo to kill it.

“Richard Stallman is sounding less and less crazy with discoveries like this,” noted another Hacker News poster, referring to the Free Software Foundation supremo who has warned for decades that we’re losing control of our computers.

“To think a manufacturer would essentially rootkit their own machines is testament to how bad things have become.”

This comes on the back of Lenovo’s Superfish scandal, in which the PC maker shipped laptops with adware on them that opened up people to man-in-the-middle eavesdropping. Miscreants could exploit the bundled crapware to snoop on victims’ encrypted connections to websites.

Who is watching you?

Who is watching you?

More and more, government is spying on its citizens. Not just our government, but all governments. If you remember a couple of weeks ago intrusions into former CBS News correspondent Sharyl Attkisson’s computers constituted the narrative spine of the new book she has authored.

Governments all around the world use malware and spyware to keep tabs on people, from visitors to residents. But now there is hope. A security researcher’s has come up with a tool that can now determine if your computer is infected with spyware.

The Detekt tool was developed by Berlin-based security researcher Claudio Guarnieri and supported by several human-rights groups. Detekt checks for malware that is often used against journalists, activists and other people frequently targeted by governments.

The app is available as a free download. Detekt is primarily a scanner; its primary purpose is to warn users if they’re being spied on, not to remove that spyware. If Detekt does detect spyware, the researchers recommend users disconnect that computer from the Internet and stop using it immediately. Then, users should contact an expert via a computer they don’t normally use.

Detekt is currently compatible with Windows XP, Vista, 7, 8, NOT  8.1. It’s available in English, German, Italian, Spanish, Arabic and Amharic, the national language of Ethiopia.

According to Amnesty International, one of Detekt’s co-sponsors, an early version of the tool was used to investigate surveillance practices in several countries. Detekt discovered that several human-rights lawyers and activists in Bahrain were being spied on with a commercial piece of spyware called FinSpy.

Amnesty International warns that Detekt can’t magically detect all spyware; rather, it is designed to recognize some of the most commonly used and encountered commercial spyware. The developers will continue to update Detekt as the spyware it targets evolves and changes.

“The growing trend in indiscriminate mass surveillance on a global scale was laid bare by the Edward Snowden disclosures,” writes Amnesty International. “Following the lead of the USA and other industrialized countries, governments everywhere now justify the use of such surveillance. This has a chilling effect on the rights to freedom of expression and peaceful assembly in countries across the world.”

Creep factor on high. An open window to your home,WITHOUT you knowing…..

Yesterday I stumbled onto a site indexing 73,011 locations with unsecured security cameras in 256 countries …unsecured as in “secured” with default usernames and passwords. The site, with an IP address from Russia, is further broken down into insecure security cameras by the manufacturers Foscam, Linksys, Panasonic, some listed only as “IP cameras,” as well as AvTech and Hikvision DVRs. 11,046 of the links were to U.S. locations, more than any other country; one link could have up to 8 or 16 channels, meaning that’s how many different security camera views were displayed on one page.

1

Truthfully, I was torn about linking to the site, which claims to be “designed in order to show the importance of security settings;” the purpose of the site is supposedly to show how not changing the default password means that the security surveillance system is “available for all Internet users” to view. Change the defaults to secure the camera to make it private and it disappears from the index. According to FAQs, people who choose not to secure their cameras can write the site administrator and ask for the URL to be removed. But that requires knowing the site exists.5

There are 40,746 pages of unsecured cameras just in the first 10 country listings: 11,046 in the U.S.; 6,536 in South Korea; 4,770 in China; 3,359 in Mexico; 3,285 in France; 2,870 in Italy; 2,422 in the U.K.; 2,268 in the Netherlands; 2,220 in Columbia; and 1,970 in India. Like the site said, you can see into “bedrooms of all countries of the world.” There are 256 countries listed plus one directory not sorted into country categories.4

The last big peeping Tom paradise listing had about 400 links to vulnerable cameras on Pastebin and a Google map of vulnerable TRENDnet cameras; this newest collection of 73,011 total links makes that seem puny in comparison. A year ago, in the first action of its kind, the FTC brought down the hammer on TRENDnet for the company’s “lax security practices that exposed the private lives of hundreds of consumers to public viewing on the Internet.”3

Security cameras are supposed to offer security, not provide surveillance footage for anyone to view. Businesses may be fine with that, but cameras that are not truly locked down in homes invite privacy invasions. In this case, it’s not just one manufacturer. Sure, a geek could Google Dork or use Shodan to end up with the same results, but that doesn’t mean the unsecured surveillance footage would be aggregated into one place that’s bound to be popular among voyeurs.2

There were lots of businesses, stores, malls, warehouses and parking lots, but I was horrified by the sheer number of baby cribs, bedrooms, living rooms and kitchens; all of those were within homes where people should be safest, but were awaiting some creeper to turn the “security surveillance footage” meant for protection into an invasion of privacy.

Randomly clicking around revealed an elderly woman sitting but a few feet away from a camera in Scotland. In Virginia, a woman sat on the floor playing with a baby; the camera manufacturer was Linksys. There was a baby sleeping in a crib in Canada, courtesy of an unsecured Foscam camera, the brand of camera most commonly listed when pointing down at cribs. So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam “hacker” yelled at the babies.6

I wanted to warn and help people who unwittingly opened a digital window to view into their homes, so I tried to track down some security camera owners with the hopes of helping them change the default username and password. It is their lives and their cameras to do with as they think best, but “best” surely doesn’t include using a default username and password on those cameras so that families provide peep shows to any creep who wants to watch.

The site lists the camera manufacturer, default login and password, time zone, city and state. The results for each camera are also theoretically pinpointed with longitude and latitude on Google Maps. That can be opened in another browser window, zoomed into, converted to Google Earth, then Street View in hopes of seeing an address to take into a reverse phone look-up. It’s slightly easier if it’s a business and you see a name on a building. There may be an easier way, as it was slow and frustrating.

I’m unwilling to say how many calls I made, or else you might think I enjoy banging my head against the wall. It was basically how I spent my day yesterday. Too many times the location couldn’t be determined, led to apartments, or the address wasn’t listed in a reverse phone search. After too many times in a row like that, I’d switch to a business as it is much easier to pinpoint and contact.

One call was to a military installation. Since the view was of beautiful fall foliage, it seemed like a “safe” thing to find out if that camera was left with the default password on purpose. Searching for a contact number led to a site that was potentially under attack and resulted in a “privacy error.” Peachy. Then I had two things to relay, but no one answered the phone. After finding another contact number and discussing both issues at length, I was told to call the Pentagon! Holy cow and yikes!

ALWAYS, ALWAYS, ALWAYS change the default passwords on your equipment, routers, cameras, etc. If you are unsure on how to do this please contact us to regain that peace of mind.

Apple, Google encryption good news… for TERRORISTS says EU top cop.

People don’t know the difference between privacy and anonymity, says EU top cop Troels Oerting: they want the former, but the latter will make life too easy for criminals.

ecryption

The Europol Assistant Director and head of European Cybercrime Centre (EC3) was joining a chorus of lawmakers and law enforcers reacting to news that Apple and Google will soon make all smartphone data encrypted by default.

In a move that was welcomed by digital civil liberties organizations, Apple announced that it would not hold the keys to iOS 8 data encryption, and so couldn’t pass on users’ data no matter how much law enforcers might want it.

Outgoing US attorney general Eric Holder, speaking on the same subject, asked people to think of the children, saying child predators could use the encryption settings in mobile platforms to evade authorities and hide illegal images and content on their devices from law enforcement. FBI Director James Comey, meanwhile, was so upset by the move that he said it would make it impossible to save children from kidnappers. He also bemoaned the fact that law enforcement would not be able to get access to gain access to “a terrorist’s device”.

Oerting was more measured: “The problem right now is, that there seems to be a confusion between anonymity and privacy. We all want and need privacy, but this doesn’t mean anonymity.”

But still raised the warning flag: “Irreversible encryption will make it very difficult – maybe even impossible – for law enforcement to obtain evidence and I am not sure this reality is clear to all,” he said.

“In any democratic society we need to provide law enforcement with a right to obtain information authorized by a judge, based on a clear suspicion, in cases involving serious crime or terrorism. This applies to the offline world and should also apply to the online world.

“Full encryption of communication and storage online will make life very easy for the criminals and terrorists and very difficult for law enforcement and law abiding citizens. We have to find the right balance between security and freedom – and this balance has to be set by citizens in a political and ethical discussion on the trade-offs,” said Oerting.

That won’t cut much ice with activists who are clamoring for privacy – and Apple, Google et al are well aware that this is a selling point. “On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode,” said Apple’s official statement on its encryption plans. “Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

This will draw a line, not gray and not thin, between privacy rights and those that seek to exploit them.

While I do believe in security and protecting private data, the issue is still there regarding illegal activities.

The yet to be discussed point is that data encryption has been around for a long time and has only gotten better and stronger. To raise the red flag over concerns now is a moot point and will only drive a wedge between the advocates and opponents.

 

Between Comcast, Youtube, Amazon and Yahoo, you are bound to get infected.

Announcements by security firms indicate that the above listed companies are exposing your systems to unnecessary risk of malware infections to boost the bottom line. (Links below)

images
Case in point: My daughter, while attempting to watch a youtube video, was redirected to a malicious flash player download. This download installed a rootkit on her system that played audio ads in the background continuously. While not harmful to the system, they rendered it pretty much useless for any audio applications due to the audio ads constantly playing in the background. The only fix was a total system wipe and OS reload.

Is there a solution to this problem? Short answer is no. While many commercial antivirus applications (AV) do their best to block these, there is not a 100% fix for prevention. This is due to the fact that the code writers for these things far outnumber the ones trying to stop it. As fast as the AV companies deploy a fix the bad guys change the code in a never ending battle.

What can you do? For starters, keep your AV up to date. Many charge for this but Microsoft also provides a free one (Security Essentials/ Window Defender) that is much less intrusive and less demanding on your system. You may go the paid route but keep in mind that just because you pay for it does not make it any better than the free one and in many cases those may drag performance down in the name of protection.

The Yahoo, Youtube, Amazon story:  http://www.theregister.co.uk/2014/09/10/big_names_caught_in_kyle_and_stan_malicious_ad_attack/

The Comcast story:  http://www.theregister.co.uk/2014/09/10/comcast_using_javascript_to_inject_advertising_from_wifi_hotspots/

A magical visit from the software fairy (or how you just got robbed).

So there is a new icon on your desktop or some strange bar along the top on your internet browser….
You wonder if the software fairy has visited you in the middle of the night!
Coupon-Buddy-adware

Probably not; you are one of the billions that are infected by malware, spyware, adware, creepware, ransomware, etc.

If you did not intentionally load that software, or you thought you were installing something else, you are at risk for data loss or worse: Identity theft! Yes, many of these items have the potential to route data, internet traffic, key strokes (Everything you type) to the not so nice guys of the world. Even more so, they may have access to your personal information stored on your pc.malware-bell-adware
Just recently, a young lady fell prey to one these malcontent’s online. Miss Teen USA 2013 Cassidy Wolf found out the hard way. Her system was hacked and the hacker was able to access her webcam, using it to take private, personal pictures of her then using them to extort even more from her.

While the hacker was found and is serving time, that does not help the victim here.

Closer to home, my daughter was watching a youtube video and was infected by a rootkit that required wiping her system clean to remove.

Even PC Security, while looking official and legitimate is really the bad guys at work.
PC_Security_2009_warning
Protect yourself, if you have even the slightest thought that your system is compromised with malicious software, get it check out NOW. The longer it is online and you are using it the greater the chances that you could be the next victim.

Ebay attack affects 223 million users.

Online auction site eBay has been blasted for an ‘inexcusable delay’ in taking action after it was revealed that its servers were hacked three months ago.
The email, home addresses, passwords, phone numbers and birth dates of every eBay account holder – 233 million worldwide –  are now in the hands of the hackers.
The company has told users to urgently change their passwords amid the biggest criminal raid ever carried out online.
eBay is requesting that all users change their passwords. Earlier today, a message was posted under the headline ‘eBay Inc. To Ask All eBay Users To Change Passwords’. The only text in the body of the post was ‘placeholder text.’ It was taken down within hours.

1

WHAT DO WE KNOW ABOUT THE CYBER ATTACK?
The eBay database was hacked between late February and early March.
It gave hackers access to encrypted passwords and other non-financial data.
This included eBay customers’ name, encrypted password, email address, home address, phone number and date of birth.

However, the database did not contain financial information or other confidential personal data.

Cyber attackers accessed the information after obtaining ‘a small number of employee login credentials’.
The online market place added that it had no evidence of there being unauthorized activity on its members’ accounts.
But security experts are warning hackers could still use personal details to commit identity fraud.
eBay became aware of the hack a fortnight ago but is still unsure exactly how it happened.

It is unclear why it has taken eBay so long to make users aware of breach.

. Often consumers use their eBay password for a host of other websites, including their banks, so they may also need to make changes to these to protect their accounts from being hijacked.
Paul Martini, the chief executive at iboss Network Security, said that the online auction site was the ‘golden goose of hacking targets’  due to the sheer amount of information which is held.  they may be using personal information to target other sites.

An eBay spokesman said: ‘We discovered unauthorized access to our corporate network earlier in May and immediately began a forensic investigation which discovered this issue leading to yesterday’s announcement.

The company owns and runs the internet payment system PayPal, but claimed that this was not involved in the raid, saying: ‘PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.’

The firm has 128million active users and accounted for £126billion worth of commerce in 2013. Shares in the web giant, which has more than 14million active users in the UK, fell by 3.2 per cent in early trading yesterday amid fears that the company will lose the trust of their customers, leading to a downturn in trade and profits.

A spokesman added: ‘Working with law enforcement and security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

‘Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers.’

The cyber attack was made between late February and early March, giving hackers access to eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. The firm said it will be emailing users later today to inform them of the breach
‘Our customers are our highest priority; and to ensure they continue to have a safe, secure and trusted experience on eBay, we will be asking all users to change their passwords.

‘There is no evidence that any financial information was accessed or compromised; but we are taking every precaution.’

But Graham Cluley, independent security expert, said: ‘Obviously they’ve got hold of names, addresses and dates of birth. All of this can be used to commit identity fraud.
‘If they have your password, and you have the same password for other websites, hackers could access your email, your Amazon account and who knows what else.’
And internet security expert Paul Martini said: ‘eBay users must act and follow the advice to change their passwords. But the damage could have already been done, as the time lag is months between the cyber breach and the discovery of the breach.
‘It could well have been viewed as the golden goose of hacking targets. Its popularity means that it holds personal details, making its a potential gold mine.’
He added: ‘Cyberhackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.’

HOW DOES THE EBAY HACK AFFECT YOU? WHAT YOU NEED TO KNOW.

What personal details were stolen?
Hackers gained access to eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.
It is unclear whether all, or any, of the details were taken but security experts are warning people to assume the worst.

Are my credit cards details safe?
The firm said that the infiltrated part of the network did not contain any financial details, so in theory, yes.

Will changing my password solve the problem?
Changing passwords will stop hackers from being able to use any login details that were stolen.
However, they could still use names, addresses and birth dates to commit identity fraud.
It’s a good idea to change passwords following any attack such as this. It’s also important to update login details on any sites that use the same password.
If a hacker has your password and email address they could use it to attempt to access other sites that use the same combination.
As a rule, the same password should never be used across different sites.

Should I change my PayPal password as well?
PayPal, which owns eBay, has confirmed its accounts and customers have not been affected by this cyber attack.
However, as a matter of course, it’s good practice to change all related passwords across different sites, including PayPal.

Which countries are affected?
At the moment, we can assume that all eBay customers worldwide will be affected by this breach, until eBay says otherwise.

Is this hack a result of the Heartbleed bug?
When Heartbleed was exposed, eBay announced its customer’s account were secure and had not been affected. This suggests the latest hack is a separate attack.

How did hackers steal the information?
It is unclear how the hackers got hold of the information but eBay said it is working with forensic teams to get an answer to this question.

Why did it take so long for eBay to inform customers of the breach?
Typically, following cyber attacks, a firm will investigate the breach to try and determine how many people are affected, and the severity of the attack, before issuing advice.

Heartbleed – Will you have a bleeding wound?

Heartbleed-logoAs the Heartbleed bug continues to make news as the full extent of the security loophole becomes known, some basic Internet security tips may help to keep computers safer. While these are no guarantee that the Heartbleed bug won’t affect you personally, these tips should keep your computer safer in general.

1. Be skeptical

The Heartbleed bug first became evident in many websites that we all considered secure when they had a security hole that could expose user data to hackers who could exploit it. As Mad-Eye Moody says in the Harry Potter book series, “Constant vigilance.” In other words, assume that you’ve come in contact with the Heartbleed bug.

2. Follow news of the Heartbleed bug

The Heartbleed bug is still a developing story. Following reports will let you know if any additional websites, software, or devices are affected.

3. Keep the security software on your computer up to date

Even if you have been not exposed to the Heartbleed bug or any other threat online, a secure firewall is the first line of defense for your PC or Mac against hackers. Use a reputable brand and check to make sure your subscription is up to date as well as any patches or updates to the software.

4. Check and recheck lists of affected websites

The chances you may have visited a website affected by the Heartbleed bug are pretty likely as several big websites like Yahoo, Facebook, and Google were all patched following news of the Heartbleed bug. Several technology websites are making lists of websites and if they are vulnerable to the bug. Mashable and CNET have extensive lists. (Warning: Not all lists are being updated.) Check more than one list to make sure the website is no longer affected.

Also if you are unable to find a website on any of the various lists, use a tool like this one built by Italian cryptology and security consultant Filippo Valsorda to check out a wesbite before logging in.

5. Passwords are like socks. Change both often

If you did visit a website that has been vulnerable — you won’t necessarily know if it’s been affected, due to the traceless nature of the bug — but is now patched or otherwise fixed, change your password. Generally a good password has uppercase letters, lowercase letters, numbers, and special characters.  Also, do not repeat passwords. If you will not remember multiple passwords, consider a password manager instead.

6.  Check your bank account, debit, and credit card balances often if you use them online

While Bank of America, Chase, Wells Fargo, PayPal, and Capital One did not use the OpenSSL encryption where the Heartbleed bug hid, it’s a good idea to keep an eye on any financial account you use online for security and personal finance reasons. Netflix, which requires an online payment, had to be patched, making it a good idea to keep a close eye on whatever card you use to enable Netflix binges.

If you rarely shop or pay for services online, viruses and identity theft are good reasons to check your accounts often anyway, even if the Heartbleed bug might not have been able to go after your bank.

File encryption, it is a MUST.

Tech tip:

With the news awash regarding the NSA snooping scandal and a rash of data thefts the most secure way to keep info safe is to encrypt it.

My personal favorite tool for this is truecrypt.  http://www.truecrypt.org/   As  of 12/1/15 Truecrypt announced a security flaw but no real details. In light if that check out VeraCrypt at https://veracrypt.codeplex.com/  It works the same as TrueCrypt with enhanced encryption methods.

 

Encryption: In its simplest form, is encrypting a file, folder or drive by means of locking the data so that only the correct passphrase will unlock it.

DO NOT FORGET YOUR PASSPHRASE!!

TrueCrypt’s site claims the software has been downloaded more than 13 million times. This has to be put into perspective. Compression tools like WinZip are mainstream and universal. They get massive download rates because everybody uses them. Encryption is still in the outer orbit of mainstream awareness. Relatively few people use encryption. It’s one of those things that most folks don’t seriously consider until they’ve been burnt by not employing it. So, 13 million TrueCrypt downloads is really a telling sign of this software’s popularity.

There are a few things to consider before deploying TrueCrypt. First, TrueCrypt doesn’t offer any way to recover your encrypted partition if you lose your passphrase. The only option would be a brute force or side channel attack, but if all the governments of the world can’t crack AES-256, your odds are pretty slim. TrueCrypt also allows for the creation of hidden partitions and even denying their existence. You could create two encrypted system partitions and hide one of them. The visible one works as a decoy, which you could use regularly to give off the impression that it’s your active system. Whether you boot the hidden system or the decoy is decided by the passphrase you type at startup.

Now if you think the above statement regarding the government’s inability to decrypt a drive is false, take a moment to read the case involving a woman in Colorado that is refusing to decrypt her drive so that prosecutors can build a case against her. Update 2/15/17 – Not defending the worthless Muslims that committed but this is a good example of why encryption is needed. http://www.reuters.com/article/us-california-shooting-encryption-idUSKCN0VI22A

DO NOT FORGET YOUR PASSPHRASE!!

Now, back to our tip.

First, using encryption software, you can create an encrypted container, then save files, folders, etc in said container. With darn near certainty, you can rest assured that no one other than yourself will ever be able to read those files.

Second, using the above method, you can email the encrypted container just as you would any other file and be free from the fear of others snooping on your emails.

You could then tell the receiving person the passphrase, preferably in person and in private and at a whisper and on a deserted island. 🙂

Now, it would be unfair and untrue to say that encryption is unbreakable, but let’s do some math and estimate how long it would take to break 256bit AES encryption.

The power of 256-bit AES encryption is awesome. To explain just how powerful it is takes numbers far larger than we can really make sense of to our brains… but it’s worth a try.

The “256-bit” part of the name means that the key which provides access to the protected content is 256 bits in length – that is, it is one of 2^256 possible combinations.

So imagine you have a file encrypted using 256-bit AES, and that you can sit just trying combinations to crack it open.

Let’s pick a crazy-high number: say you can try a million million million combinations every millisecond. At that rate, it would take about 3 million million million million million million million million years to try every combination. That’s older than your grandma.

It’s more combinations than there are atoms on the whole planet. About 70,000,000,000,000,000,000,000,000 times more to be precise.

For it to take “only” as long as the age of the universe to crack, you’d need to type in about 2.8 x 1059 combinations per second – that’s 280,000 with 9 “millions” after it.

That’s why AES is considered, for now, an unbeatable encryption. The NSA have approved it to protect information classified as “top secret” – and that is genuinely the top endorsement possible.

I said “darn near certainty” above because of this: If you ever write down or share in anyway the passphrase, you have weakened the security. But that aside, if it forever remains in your noggin, no one in the current form of human evolution will ever read your data, short of reading your mind.

Do not forget newer operating systems include encryption that works very well, this will prevent access to your system and files but not so when sending information as mentioned above.

Did I mention, the most important point to remember here is: DO NOT FORGET YOUR PASSPHRASE!!