U.S. lawmakers pledged to rewrite an antihacking law as hundreds of people gathered in Washington, D.C., to mourn the death of Internet activist and innovator Aaron Swartz.

Speakers at a Monday memorial service for Swartz, who committed suicide in January, remembered him as an intensely curious young man who wanted to help people and change the world. The world is a "worse place" because of Swartz's death, said his girlfriend, Taren Stinebrickner-Kauffman.

Swartz was "one of the brightest stars in America," Stinebrickner-Kauffman said. "He had so much more to do."

As a teenager, Swartz played key roles in the development of the RSS online content syndication technology, in the creation of the Creative Commons licenses and in the founding of the Reddit news sharing site. He later cofounded Demand Progress, a left-leaning activist group focused on technology policy and other issues.

To read this article in full or to leave a comment, please click here

Mobile computing may be convenient, but it's also inherently risky. When you drag your laptop to the coffee shop or bring it along on your travels, you’re making all your private data and one of your most expensive possessions a big, fat target for sticky-fingered thieves. And unlike traditional theft targets like jewelry or wallets, a laptop is an easy steal—the baddies just need to wait for you to turn your back, then grab the computer and run. In some cases, a criminal doesn’t even need to steal your notebook. He can simply pull your sensitive data out of thin air.

Fortunately, you can do a lot to minimize the perils possibly encountered on the road. By taking a few simple precautions and following some common-sense practices while you’re out and about, you can drastically reduce the chance that your laptop will be stolen and keep your data locked up tight. With great portability brings great responsibility!

Lock the front door

When you go on a vacation, you wouldn’t leave your front door unlocked, would you? Of course not. You shouldn’t leave your laptop completely defenseless, either. Lock your laptop's proverbial front door by making sure that your Windows user account is set up to require a password on log-in. A log-in password won’t protect against an even semi-competent hacker, but it could easily be enough to dissuade unsophisticated criminals from snooping through your files after stealing your laptop.

Windows makes it very easy to change your password or to set one if you don’t already have one. In Windows 7, just hit ctrl-alt-del and select Change Password, the fourth option down. After that's set, head to the Power Options in the Control Panel, click Require a password on wakeup in the left-hand pane, and click the radio button next to Require a password.

To read this article in full or to leave a comment, please click here

Between Android and Firefox, this has been a big week for milestones in the world of free and open source software.

First, on Monday, we had Android's fifth birthday--accompanied by news that Google's Linux-based mobile operating platform attained a market share of 75 percent of smartphone shipments for the third quarter.

Then, on Friday, it was Firefox's eighth birthday.

'Openness and interoperability'

To read this article in full or to leave a comment, please click here

Encryption can be a bit of a double-edged sword for organizations. It is an effective and essential tool for protecting sensitive data, but it often comes with a healthy side of user confusion and help desk calls. Microsoft hopes to simplify the process of implementing and managing BitLocker data encryption with the launch of Microsoft BitLocker Administration and Management (MBAM) 2.0 Beta 2.

A Windows for Your Business blog post announcing MBAM 2.0 Beta 2 points out that many states have data breach legislation in place, and that the penalties associated with failing to protect data can get quite costly. “I think this proves that the rules and stakes for data security are rapidly changing and there couldn’t be a more important time to ensure your understanding of data breach laws, and protect your corporate and customer data from the ramifications of a potential breach.”

BitLocker encryption has been around in some form or another since the launch of Windows Vista. It is an effective means of protecting data, but can be a major headache to manage—especially for small and medium businesses that generally have fewer dedicated IT resources.

MBAM 2.0 is part of the Microsoft Desktop Optimization Pack. The new versions builds on MBAM 1.0 in an effort to streamline provisioning of BitLocker encryption, reduce support calls and costs, simplify management, and improve compliance reporting.

To read this article in full or to leave a comment, please click here

DiskCryptor (free) is a handy encryption program—simple, to the point, and lightweight.

My preference is to encrypt entire drives and partitions, which is the level at which I organize my data these days, and that's exactly what DiskCryptor does—even with your system partition. The program takes that one further and will encrypt ISO files that you may then burn to CD. If you need encrypted container files, look to TrueCrypt or others.

After you install DiskCryptor, it runs as a service in the background with an icon in the system tray. You can set it up to load from your boot sector if you've encrypted your system drive. Click on the system tray icon and you're presented with a plain, down-to-business dialog from which you encrypt/decrypt (AES 256, Two-fish, Serpent) as well as mount and unmount encrypted drives. The program uses only a little over 1MB of disk space installed.

There are a few peculiarities with DiskCryptor that you should be aware of. When you unmount an encrypted drive, it's still visible to the system, as well as Windows Disk management, but isn't recognized as a validly formatted or partitioned drive. This could lead someone to think the drive is corrupt and repartition or reformat it—a hide drive function would be nice. It would also be nice to have context menu support so you don't have to go through the dialog for everything. But that's a lot of complaining for a program that's free, easy, convenient, and works extremely well.

To read this article in full or to leave a comment, please click here

If you want something done right, do it yourself. That may sound trite, but it rings true as advice for securing files that you've stored online. Several recent incidents—including breaches of Dropbox and iCloud—underscore the fact that, even with built-in encryption and SSL transfers, cloud storage providers can't perfectly ensure the safety of your data.

Luckily, you can take cloud security into your own hands.

A few different tools can help safeguard the privacy of your data when you store it on a remote server. One of our favorites is BoxCryptor, an easy-to-use encryption program that works with all of the most popular cloud services, is free to use (though you can pay for upgrades), and helps keep your data safe.

BoxCryptor is basically a virtual hard disk that encrypts files on the fly using 256-bit AES encryption. Unlike TrueCrypt, another popular on-the-fly encryption tool, BoxCryptor encrypts individual files, not an entire volume or container. Consequently, your BoxCryptor-encrypted files sync with your cloud storage service immediately after you save them, whereas TrueCrypt syncing occurs only after you finish encrypting an entire volume.

To read this article in full or to leave a comment, please click here

KenWid10 asked the Antivirus & Security Software forum how best to send encrypted information to someone over the Internet.

You should never, ever just email credit card numbers, passwords, or other private information. You don't know how many servers the message will pass through between your computer and the recipient's, or who has access to those servers. Email is only slightly more private than a billboard. (A slight exaggeration, but you get the point.)

A truly private message must be encrypted before it leaves your computer, and remain encrypted until the recipient receives it. To complicate things further, you can't assume that the recipient is any more tech savvy than that uncle who freaks out when you open a new tab on his browser.

Here are two ways to safely send private information over the Internet:

To read this article in full or to leave a comment, please click here

Great news! Next Tuesday is already Patch Tuesday for September, but Microsoft only has a couple of relatively minor updates lined up. Don’t get too comfortable, though—you need to prepare for the changes Microsoft is making next month for cryptographic keys.

Let’s start with Patch Tuesday. September is a dramatic departure from previous months. Unlike the many months that have been loaded down with multiple Critical updates, or the fact that Internet Explorer has been updated monthly for the past few months, Microsoft only has two security bulletins scheduled for this month.

Of course, many IT admins are still trying to catch up from previous months, and can use the break to finish deploying the patches they already have. Then, there’s the Java patch from Oracle that probably needs urgent attention if you haven’t already implemented it.

To read this article in full or to leave a comment, please click here

Your Windows logon password--the one you type every time you boot--does not protect your files in any meaningful way. (There's an exception, which I'll discuss below.)

Why is that important? Because you do things on your computer that only you should be allowed to do, such as read and write your email. Unless you've set up your mail client to require a password every time you boot, anyone who can log onto your computer as you has full access to your mail.

To read this article in full or to leave a comment, please click here

Dubbed "Shamoon" by most antivirus companies, the malware has been used in targeted attacks aimed at specific individuals or firms, including at least one in the energy sector.

According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization's network.

The second stage -- which kicks off after the malware has done its dirty work -- overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable.

To read this article in full or to leave a comment, please click here

There is no silver bullet when it comes to encryption. Even the most complex, invulnerable encryption today could be child’s play in the future. The NIST (National Institute of Standards and Technology) is publishing new encryption standards for public review to try and keep up with the times and stay a step ahead of the bad guys.

All of security is more or less a game of cat and mouse. Security measures are put in place, and they work for a while until attackers find the weak spots, or figure out how to compromise or circumvent them. Then, security experts have to devise new methods, and the game starts over. Website encryption, and the certificates we use to prove a site is legitimate, are subject to this same cause and effect.

Secure websites rely on digital certificates issued by trusted Certificate Authorities (CA) to verify their authenticity. Basically, a trusted third-party acts as a Certificate Authority (CA). The CA validates that an individual or organization is authentic, and issues a certificate. When you connect to a website, your browser verifies that the site has a valid certificate issued from a trusted CA, and in most cases will warn you if the certificate is expired or has other issues.

To read this article in full or to leave a comment, please click here

Every backup service worth its salt uses encryption to keep your data safe from snoops, but Spider­Oak goes one step further by promising to keep your data private from its own employees. Although you still should use common sense in choosing what to upload to any service, I believe that SpiderOak is one of the best secure online backup options available.

You download an application (for Windows, Mac, or Linux) that coordinates which files and folders to back up, and runs in the background to sync your online backup with your PC. The password that you create never goes to the SpiderOak servers; it’s stored on your PC. Your password then serves to generate a pair of encryption keys, which also remain local. The keys work to encrypt your files on your PC before the data goes to the SpiderOak servers—without your password or keys, no one can view your data without cracking the encryption via brute force.

‘Zero-Knowledge’ Privacy Policy

This hands-off approach means that every time you log in to SpiderOak, you’re just verifying your identity to the desktop client, which in turn establishes a se­­cure connection to the SpiderOak servers. As long as you never log in via SpiderOak’s website or a mobile device (in addition to the desktop tools, SpiderOak offers mobile and Web clients for convenience), your password will never enter SpiderOak servers, so theoretically it’s difficult for a SpiderOak staffer to peek at your data or give it to a third party.

To read this article in full or to leave a comment, please click here

Security researchers released two tools at the Defcon security conference that can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.

MS-CHAPv2 is an authentication protocol created by Microsoft and introduced in Windows NT 4.0 SP4. Despite its age, it is still used as the primary authentication mechanism by most PPTP virtual private network (VPN) clients.

MS-CHAPv2 has been known to be vulnerable to dictionary-based brute force attacks since 1999, when a cryptanalysis of the protocol was published by and other researchers.

However, the common belief on the Internet is that if you have a strong password then it's OK, said Moxie Marlinspike, the security researcher who developed ChapCrack, one of the tools released at Defcon. "What we demonstrated is that it doesn't matter. There's nothing you can do."

To read this article in full or to leave a comment, please click here

Cracking the dumped eHarmony passwords wasn't too hard, says Mike Kelly, security analyst at SpiderLabs, which used tools such as oclHashcat and John the Ripper. In fact, he says it was one of the "easiest" challenges he ever faced. There are many reasons why this is so, starting with the fact the cracked passwords may have been "hashed," but they weren't "salted," which he says "would drastically increase the time it would take to crack them."

BACKGROUND: Dating site eHarmony confirms password breach

He points out that hashing the passwords with a crypto algorithm is a good start to scramble the password, but by adding the "salt" of a random string in the process, the "salted hash" is far stronger protection. eHarmony was also using the MD5 format, which is considered somewhat weak by cryptographers today, Kelly adds.

To read this article in full or to leave a comment, please click here

If a flash drive contains sensitive information--such as bank account statements, credit card numbers, or your own unique, brilliant plans for world domination--you should password protect, if not the whole drive, than at least those particular files.

You've got two options for protecting data on a flash drive: You can use encryption software, or you can buy a special, encrypted flash drive.

Jon L. Jacobi recently wrote The Best Encrypted Flash Drives, and recommended the Imation Defender

To read this article in full or to leave a comment, please click here

Secure data being beamed across the Internet it? Encrypt it. Protect data at rest from being accessed? Encrypt it. It seems like encryption is the answer to all of your security concerns. That’s true to an extent, but even encryption has its limitations.

Encryption is a perfectly viable solution for securing data, but it’s not invulnerable--especially for data at rest, like files stored on backup media. Today’s unbreakable algorithm is tomorrow’s cracked encryption.

The idea of encryption dates back centuries. At its core, it’s nothing more than replacing information with other data that makes it appear to be gibberish unless you have the key that helps you reverse the process (decrypt) so you can recover the original information.

One of the most well-known examples of encryption is the Caesar Cipher. Attribute to the Roman emperor Julius Caesar, the code involved simply offsetting the letters of the alphabet by a specified number. For example, an offset of four would make an “A” become a “E”, a “B” become an “F”, and so on. The resulting message would seem like a random jumble of letters unless you knew how it was encrypted, and what the offset number was.

To read this article in full or to leave a comment, please click here

Keeping your data private while you’re browsing the Web can be time-consuming if you want to stop malware, IP-address snoopers, and malicious ads. Spotflux, a New York startup, is aiming to change that with a no-cost, easy-to-use program that encrypts your Internet connection, anonymizes your IP address, and reduces your risk of infection while you surf. Did I mention that it’s free?

This requires a certain level of trust, since the Spotflux servers are privy to everything you do. The payoff is the assurance that your activities are anonymized and protected. While Spotflux is cagey about what it looks for when filtering traffic (lest the bad guys learn how to circumvent the filters), we do know that it regularly updates its servers to scan for widespread malware such as DNSChanger. “We scour the Web for major offenders, and listen to the users on Facebook and Twitter to find and eliminate major sources of malware,” claims Chris Naegelin, who cofounded Spotflux in Brooklyn, New York, along with Dean Mekkawy. And since Spotflux’s staff operates the Spotflux servers, the service can reasonably promise that no­­body outside the company can use it to snoop on you.

Benefits and Drawbacks

Since your traffic goes through the Spotflux servers twice (first when your browser sends a request, and again when a site responds), you will see a slight performance hit. I ran speed tests, and my download speed consistently degraded by roughly 20 percent while the app was running. The upside: I never saw an irritating ad during several days of browsing, and my antivirus scans came up clean despite my rampant downloading. Plus, according to AT&T, my bandwidth usage was lower than ever during my weekend with Spotflux, which may be an unintended but wonderful consequence of filtering out unwanted ads.

To read this article in full or to leave a comment, please click here

The Enigma cypher machine used by the German military in World War II is still a tough nut to crack today. The total number of ways it can be configured for every letter is around 150 million million million. That's enough to keep it beyond the reach of all but the most determined of brute force attacks.

MAIN ARTICLE: Tech world preps to honor 'Father of Computer Science' Alan Turing, as centenary nears

IN PICTURES: Alan Turing in the media

So how were the late Alan Turing (whose 100th birthday is being celebrated in academic circles this June) and his fellow Bletchley Park code-breakers able to crack the Enigma and provide the Allies with such priceless intelligence?

To read this article in full or to leave a comment, please click here

Analysis of the massive ‘Flame’ cyber attack code has revealed that rogue Microsoft security certificates were used to make the malware appear as if it was officially signed by Microsoft. Microsoft has issued a security advisory, revoked trust in the rogue certificates, and provided steps to help IT admins and users prevent attacks that rely on the spoofed Microsoft certificates.

A post on the Microsoft Security Response Center blog states plainly, “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”

The Microsoft blog post explains that a vulnerability in an old cryptography algorithm is exploited by some elements of Flame to make them appear as if they originated from Microsoft. Most systems around the world accept officially-signed Microsoft code as safe by default, so the malware would enter unnoticed.

To read this article in full or to leave a comment, please click here

I don't like Windows' Encrypted File System (EFS), and Jeff's story illustrates why. Although EFS provides what appears to be a convenient, completely transparent form of encryption, it can be trouble down the road.

EFS makes sense in a business, where IS professionals manage the computers and less savvy people use them. The users don't even have to know that their data is encrypted (or even what the word encrypted means). They log into Windows and they can access their files. But if someone else logs in, or boots from a live Linux CD, or removes the hard drive, the files are inaccessible. And should it be necessary, IS knows how to get back those files.

But in a home environment, as Jeff discovered, EFS is just asking for trouble down the road.

To read this article in full or to leave a comment, please click here

What to Encrypt

To secure your email effectively, you should encrypt three things: the connection from your email provider; your actual email messages; and your stored, cached, or archived email messages.

If you leave the connection from your email provider to your computer or other device unencrypted while you check or send email messages, other users on your network can easily capture your email login credentials and any messages you send or receive. This hazard typically arises when you use a public network (the Wi-Fi hotspot in a coffee shop, say), but an unencrypted connection can also be pose problems on your work or private network.

Your actual email messages are vulnerable as they travel over the Internet, after leaving your email provider's server. Bad guys can intercept a message as it bounces from server to server on the Internet. Encrypting your messages before sending them renders them unreadable from the point at which they embark on their journey to the point at which the intended recipient opens them.

To read this article in full or to leave a comment, please click here

Intel pulled back the curtain this week to unveil a lineup of new Ivy Bridge processors. Most of the focus on the Ivy Bridge CPUs is on the faster performance, and more efficient power consumption. But, beneath the surface Intel has incorporated a feature that also makes Ivy Bridge more secure than its predecessors--“Bull Mountain”.

Bull Mountain is the code name for Intel’s new random number generator technology. Why is that important? Random numbers are required for effective encryption, and weak random number generators are the Achilles heel of data security.

Encryption is a crucial element of computer and network security. Data is encrypted to prevent it from being accessed or viewed by unauthorized users. Traffic between a PC and a website is encrypted to ensure sensitive information like passwords or credit card information aren’t intercepted in transit.

The fatal flaw of encryption is that it relies on randomness to generate strong encryption keys, but computers aren’t random. The ones and zeros that bounce around the PC and across the Internet are fundamentally predictable. Granted, even weak encryption is enough to prevent data from being compromised in most cases, but skilled attackers can exploit a weak random number generator to crack the encryption.

To read this article in full or to leave a comment, please click here

It's a rare week indeed that doesn't bring forth some fresh privacy scandal, and creepy apps like Girls Around Me are only one small part of the problem.

I've already written about a few privacy-minded technologies that aim to help, including the DuckDuckGo search engine, the GNU Free Call alternative to Skype, the BitBox browser, and the Lightweight Portable Security (LPS) Linux distribution.

Recently, however, a reader alerted me to a new and highly secure social networking option. It's called RetroShare, and it basically lets you set up a completely private network for communicating and sharing with those you trust.

To read this article in full or to leave a comment, please click here

Like many people, I rely heavily on email to communicate with all sorts of folks. And sometimes, whether it's sending tax information to my husband or credit card information to the owner of an inn, that communication is sensitive. That's why I was intrigued by Enlocked (free beta), an email encryption service that's designed to take the complications out of complex encryption software. And it succeeds, to a certain extent.

Before you send your first encrypted email, Enlocked will ask you to enter you email password. This is done to authenticate the user, and the message only appears the first time you use the service. Once you click "Send Secured," emails are sent just as any other message would be. If the recipient has never before received an message that's been encrypted with Enlocked, they will receive a notification message before the encrypted message arrives. This message lets them know that, in order to read the encrypted message, they will need to download the free plugin and offers handy links to do so. (If their mail client and/or browser is not supported, or if they simply prefer not to download anything, Enlocked does offer a browser-based version, called Enlocked Anywhere, which allows messages to be read in a Web browser.)

If the recipient has downloaded and installed the Enlocked plugin by the time the message arrives, they'll be asked to enter their email password upon opening the message. This authenticates the user, and only happens upon receiving the first encrypted message. The contents of the message are then automatically decrypted.

To read this article in full or to leave a comment, please click here

Data at rest has long been protected by technology called public key infrastructure (PKI), in which data is encrypted when it's created by a public key and only decrypted, in theory, by an authorized person holding the private key. But extending this type of data protection to the cloud can be complicated.

Startup security company Porticor just released a solution that addresses the concern about data at rest in the cloud. Porticor offers a split key encryption solution where the cloud customer is the only one who knows the master key. What's more, Porticor handles all the complexity of encrypting data so the customer barely needs to think about it. The security and convenience is all in the unique implementation of key management.

BACKGROUND: Startup Porticor launches with encryption technology for cloud computing

To read this article in full or to leave a comment, please click here

Even NASA laptops are vulnerable to theft and poor security practices: 48 NASA laptops or mobile devices were stolen from America’s space agency between April 2009 and April 2011, including one--unencrypted--laptop containing control codes for the International Space Station (ISS).

Although ISS does not appear to be in jeopardy, according to a NASA public affairs officer who spoke to the Security News Daily, the NASA security breaches underscore how serious and difficult a problem laptop and mobile device theft is--whether you’re a government agency or a small business or an individual.

In his testimony last month before the Science, Space and Technology House subcommittee, NASA Inspector General Paul Martin admitted that only 1 percent of NASA’s portable devices are encrypted. That leaves 99 percent of the agency’s laptops and mobile devices left unprotected, storing possibly not just employees’ personal data such as Social Security numbers, but also third-party intellectual property and perhaps space or government secrets (yes, I watched many episodes of Chuck).

To read this article in full or to leave a comment, please click here