Google to slap warnings on non-HTTPS sites

Vladimir_Putin_Photo_AP.jpg

I have been saying this here for the last few years, but if you get it confirmed by a former NSA director, that’s nice to hear. The Wall Street Journal just reported that President Barack Obama has instructed U.S.  intelligence agencies to investigate hacking activity aimed at meddling in the 2016 election.

The same article shows a video with an interview at WSJ’s Future of Cybersecurity breakfast, Former NSA Director Michael Hayden says the Russians “weaponized” information gleaned from hacking DNC emails to erode America’s confidence in our political process. And he tells WSJ’s John Bussey how the U.S. should retaliate.
This is powerful ammo to send to your C-suite so they can get first-hand information why it is so important to increase IT cybersecurity budget.

Below is a direct link to the 4:16 video.  Note what Hayden said at 1:10 “Russian criminal gangs on behalf of the Russian Federation does the original hacking, pulls the information back, givies it back to the Russian Federation, who then washed it through Wikileaks to go out

http://www.wsj.com/video/gen-hayden-on-us-response-to-russian-dnc-hack/54D57FC3-D99E-4864-B9C7-EE948791158A.html

Want to get a 5-minute backgrounder?

We all know that a large amount of cybercrime originates in Russia and other eastern European countries that were former USSR states. But why is that? I decided to dig into this and did some research which turned out to be eye opening. One of the most fascinating sources of reliable information was a book called Putin’s Kleptocracy: Who Owns Russia? by Karen Dawisha, professor of Political Science at Miami University.

Why cybercrime is so widespread in eastern Europe is closely connected and date-coincident with the rise of Vladimir Putin to Russia’s autocratic leader. If this all sounds too unreal, I assure you it’s the unpleasant truth.

Here is a very, very short summary of what happened, so you get the big ugly picture: Why All This Russian Cybercrime In Five Minutes

Since they are thousands of miles removed and our Law Enforcement is getting no cooperation, the major ways these bad guys can penetrate your systems are limited:

  1. Badly configured servers and workstations
  2. Known and unknown vulnerabilities in software
  3. Social engineering 

That’s why stepping users through new-school security awareness training is such an important part of your defense-in-depth. Start with a free Phishing Security Test, and phish your users to see how many click. Often an unpleasant surprise but a great catalyst to get buy-in:

Get Your Free PST Now

© KnowBe4, Inc. All rights reserved. | Privacy Policy & Terms Of Service | Security

 

 

[contentblock id=74 img=gcb.png]

Police on Tuesday said they have arrested a worker at the New York State Department of Motor Vehicles (DMV) on Staten Island, for allegedly trying to use the work computer to get a customer’s personal information and ask her out on a date.

According to the New York State Inspector General’s office, Peter Grosseto, 29, has been charged with the felony charge of Computer Trespass and the misdemeanor charges of Unauthorized Use of a Computer and Official Misconduct.

Investigators claim that Grosseto used the work computer system to look up the name and phone number of a customer – without her knowledge – who was being served by another DMV staffer.

He allegedly did it 3 times. Then, police say, Grosseto called the woman at home, pretending to be a DMV quality assurance rep.

He ultimately admitted he was calling to ask her out on a date.

Inspector General Leahy Scott said that Grosseto’s alleged behavior was unprofessional:

This defendant set aside any semblance of professionalism and illegally accessed State resources to satisfy his own interests and harass a customer with unwelcome advances. I will not tolerate any government employee’s violation of the public trust or violation of any citizen’s privacy and dignity.

Grosseto’s bosses aren’t too happy about it, either.

DMV Executive Deputy Commissioner Terri Egan:

There is no responsibility we take more seriously at DMV than safeguarding the personal information of our customers. When personal information is compromised, we take swift action – especially when a DMV employee is involved.

Grosseto’s been suspended without pay “to ensure he can no longer abuse his position,” Egan said.

He is, of course, innocent until proved guilty.

If Grosseto is guilty, he’s sure not alone. After investigating cops who misuse access to personal information, the Associated Press on Wednesday published a report finding that police across the US run unauthorized searches on confidential databases for purposes that include revenge and stalking.

Calling a stranger for a date, using a phone number and a name she never agreed to give you, might sound kind of cute. Harmless. Easy to laugh off.

But the AP story about police who abuse their positions to dig out data on people makes clear that government employees who do this aren’t just unprofessional: they can be downright dangerous.

One example is an Ohio officer who pleaded guilty last year to having looked up information on an ex-girlfriend and to stalking her.

The AP quoted Alexis Dekany, the woman he stalked:

It’s personal. It’s your address. It’s all your information, it’s your Social Security number, it’s everything about you.

And when they use it for ill purposes to commit crimes against you – to stalk you, to follow you, to harass you… it just becomes so dangerous.

Law enforcement officials have tried to stem the number of times that these betrayals of trust occur. Unfortunately, it’s well-nigh impossible to differentiate between legitimate database inquiries and those that are self-serving.

What can they do?

Some departments have tried increasing field audits.

The Miami-Dade police department is now conducting quarterly audits in which officers can be randomly asked to explain searches. Also, a sergeant’s duties have been expanded to include daily reviews of proper usage and troubleshooting, Maj. Christopher Carothers of the professional compliance bureau told the AP.

But at the end of the day, for better or (often for) worse, it looks like we’re relying on professionals acting like professionals as we trust them with our personal information.

 

[contentblock id=92 img=gcb.png]

 

[contentblock id=75 img=gcb.png]

Whenever you send a password using a broadcast medium such as Wi-Fi or Bluetooth, someone might be listening. Even if it’s encrypted, you might be giving hackers at least a shot at breaking it.

Researchers have expressed particular concerns about the risk of vulnerabilities in custom radio protocols for wearables and implantables. But what if you could securely send that data through your body, not the air?

And what if you could do it using a fingerprint sensor or touchpad like the one already built into your smartphone or laptop?

That’s the claim of new research from computer scientists and electrical engineers at the University of Washington. As UW assistant professor of computer science and engineering Shyam Gollakota puts it:

Fingerprint sensors have so far been used as an input device. What is cool is that we’ve shown for the first time that fingerprint sensors can be re-purposed to send out information that is confined to the body.

That’s right: even though fingerprint sensors aren’t designed to be active radio transmitters, “during normal operation they produce characteristic electromagnetic signals, which are consistent and at frequencies below 10 MHz” – frequencies that apparently propagate well through the human body.

According to the University of Washington’s description of the research:

These ‘on-body’ transmissions offer a more secure way to transmit authenticating information between devices that touch parts of your body – such as a smart door lock or wearable medical device – and a phone or device that confirms your identity by asking you to type in a password.

Co-lead author Mehrdad Hessar walks through a typical use case:

Let’s say I want to open a door using an electronic smart lock. I can touch the doorknob and touch the fingerprint sensor on my phone and transmit my secret credentials through my body to open the door.

The authors’ paper documents transmission tests across the whole body, demonstrating that their technique works across different body types, and whether the subject is standing, sitting, or lying down. They tested iPhone 5s and iPhone 6s fingerprint sensors, the Verifi P5100 USB fingerprint scanner, and both Lenovo T440s and Adafruit touchpads.

Their technique also held up well against interference from other wearables. (A claimed side benefit of this finding: it might “be difficult for an attacker to transmit an external signal on the air to either jam transmissions or send false information.”)

Don’t expect to watch any HD movies transmitted directly through your fingerprint sensor just yet: Hessar et al achieved transmission rates of just 25 bits per second. That’s less than a quarter the speed of a 1950s modem.

It’s a long way from a university research lab to your body, but if this proves out, multiple applications are possible. For example:

Instead of manually typing in a secret serial number or password for wirelessly pairing medical devices such as glucose or blood pressure monitors with smartphones, a smartphone could directly transmit arbitrary secret keys through the human body.

Of course, having your body as the transmission medium brings a whole new set of security concerns about man-in-the-middle attacks.

[contentblock id=92 img=gcb.png]

 

[contentblock id=72 img=gcb.png]

With Artificial Intelligence (AI) starting to reveal its real world potential, Facebook, Google, Amazon, Microsoft and IBM have teamed up to work together in the burgeoning technological space.

Speaking to the BBC, one of the new group’s members revealed that the aims of the consortium, called the ‘Partnership on AI’, are to:

maximise this [AI’s] potential and ensure it benefits as many people as possible

The sentiments are similar to those expressed by the Future of Life Institute, an organisation that aims to “maximize the societal benefit of AI” and famously published an open letter (since signed by a galaxy of tech stars) stressing that it’s “important to research how to reap [AI’s] benefits while avoiding potential pitfalls”.

AI’s potential is indeed far reaching. We can probably expect it to impact almost every aspect of our everyday lives over the coming years: from healthcare and education to manufacturing, energy management and transportation.

Growing fears

And as it does so, we can also expect to see fears continue to grow: fears that AI might replace human labor, undermining the skills that are so crucial to our economies; fears around safety as machines take over complex tasks such as driving vehicles, performing operations and making life and death decisions in war; and fears that we might one day reach the technological singularity from which we can never return, where machines become more intelligent than humans.

We even reported last year how Stuart Russell – an award-winning AI researcher, a Professor of Computer Science at the University of California and author of a leading AI textbook – had likened the dangers of AI to nuclear weapons.

Abating fears and opening discussions

With that in mind, the consortium notes on its website that it was established to:

… study and formulate best practices on AI technologies, to advance the public’s understanding of AI, and to serve as an open platform for discussion and engagement about AI and its influences on people and society.

Co-chaired by Microsoft Research chief Eric Horvitz and co-founder of Google’s DeepMind subsidiary Mustafa Suleyman, it will also include experts from AI research groups and academia. The BBC notes that:

The group will have an equal share of corporate and non-corporate members and is in discussions with organisations such as the Association for the Advancement of Artificial Intelligence and the Allen Institute for Artificial Intelligence.

Taking control

Or maybe there is more to it than simply educating the public, establishing best practices and enabling discussions.

In an interesting article, The Verge takes a deeper look at the list of tenets posted on the partnership’s website. It pays particular attention the sixth tenet:

Opposing development and use of AI technologies that would violate international conventions on human rights, and promoting safeguards and technologies that do no harm.

Writer Nick Statt notes that this tenet implies a degree of self-regulation – something that the technology giants involved might want to foster as a way of heading off government regulation.

No Apple at the core?

With the other tech giants now firmly showing their commitment to making AI a success, you may well wonder where Apple is. After all, Apple has been working hard on its own AI projects, and has even purchased machine learning start-ups.

Microsoft’s Eric Horvitz revealed to The Guardian:

We’ve been in discussions with Apple, I know they’re enthusiastic about this effort, and I’d personally hope to see them join.

Elon Musk has had plenty to say on the dangers of AI. His own horse in the AI race, OpenAI, is another notable absentee from the consortium, although the Verge reports that discussions between the two have begun.

Where are the brakes?

Whatever your views on the AI revolution, one thing is certain – it will happen.

Having the big tech players working together on such a disruptive technological arena is a good thing, in my opinion, providing that discussions are transparent and outside opinions are listened to and acted upon.

I would, however, feel more comfortable if there was more outside governance.

If the consortium turns into a body for industry self-regulation, are they really going to listen to those concerned with ethics when there are potentially trillions of dollars at stake?

 

[contentblock id=92 img=gcb.png]

 

[contentblock id=74 img=gcb.png]

An Ontario octogenarian has been snared in what’s being called a “dragnet cash grab” following Canada’s institution of new copyright infringement rules. She’s on the hook for $5,000, for allegedly downloading Metro 2033, a first-person shooter video game featuring heavy armament and splattered zombies.

CBC News Ottawa reports that 86-year-old Christine McMillan was in for a bit of a shock when she received two emails, back in May, forwarded by her ISP, informing her that she was being held accountable for allegedly illegally downloading a game she says she’s never heard of.

CBC shared a video which it says captures McMillan’s reaction when she was exposed to the game for the first time.

Her thoughts on the game she was accused of illegally downloading:

Dreadful. Who would want to watch this? Disgusting. I can’t understand why anybody would find this… [to be] entertainment?

I mean, anybody who lived through the second world war… or any of the wars… I mean, this would have no appeal as entertainment, I have to tell ya. Disgusting.

As CBC notes, she’s likely one of thousands of Canadians who’ve received notices to pay up, whether they’re guilty of copyright infringement or not.

The notices came from a private company called Canadian Intellectual Property Rights Enforcement (CANIPRE)

As TorrentFreak reports, McMillan is one of hundreds of thousands of Canadians who’ve been accused of copyright infringement under Canada’s “notice and notice” regulations, introduced last year under the Copyright Modernization Act.

The law requires internet providers to forward copyright infringement notices to customers suspected of illegally downloading content, including video games and movies.

According to CBC, the supposed copyright infringers are identified only through IP address. ISPs don’t disclose any further information to the copyright enforcers.

McMillan called the legislation “foolish” and said she “couldn’t believe the government would support” the enforcers “threatening” people over the internet and demanding cash.

In fact, at first, she thought it was a scam, she told CBC:

They didn’t tell me how much I owed, they only told me that if I didn’t comply, I would be liable for a fine of up to $5,000 and I could pay immediately by entering my credit card number.

However, it’s all quite legal.

The owner of CANIPRE, Barry Logan, told CBC that the company ran the wording of the notices past lawyers, and they vetted it for legality.

McMillan said she’s going to ignore the notices and hope the problem will just go away. Hopefully, taking her to court will prove too expensive for the enforcement company, she said.

But how did her IP address get tagged in the first place? She has an adult grandson, but he doesn’t have access to her network, she said.

Who’s shooting mutants with this lady’s IP address?

Assuming we can take McMillan at her word – that she does not spend her time planted on the couch, enjoying a first-person shooter game featuring dark corridors and splattered guts – then how did her IP address get implicated in the alleged copyright infringement?

CBC News Ottawa talked to network security analyst and technology expert Wil Knoll, who suggested that somebody who lives in the same apartment building as McMillan could have accessed her unsecured wireless connection, then downloaded the game using her IP address. Alternatively, even if her network had a password, it could have been hacked, he said.

Knoll:

It’s very hard then to correlate, or nearly impossible, to correlate from that IP address to any individual that’s inside the house, or to prove it forensically.

Especially if these infractions are happening months and months and months ago.

That certainly makes sense. Many people leave their home networks wide open for anybody to use from an outside connection.

The repercussions can be surprisingly nasty.

We’ve seen one instance where a heavily armed SWAT team stormed the wrong house, breaking down the door of a home in Indiana, smashing windows and tossing a flashbang stun grenade, startling an 18-year-old and her grandmother who were watching TV.

Officers were looking for the person behind an anti-police post, from somebody who mentioned, with a smiley emoticon, that they had explosives.

The suspect actually lived in a different house on the same street.

That’s just one example of where a poorly secured WiFi home networks can lead. We’ve also seen unsecured networks be exploited by people sending pornographic spam or even terrorist-related emails.

Unsecured networks are found in plenty of other places outside of people’s homes or apartment buildings. We know that because Sophos has checked, in many cities around the world.

In experiments in London, New York City, San Francisco and several other big cities, Sophos “warbikers” James Lyne and Chester Wisniewski used a simple set of tools to detect thousands of wireless networks while touring busy neighborhoods on a bicycle.

They found that in every city they visited, there was a high proportion of WiFi hotspots using outdated security or none at all. In London, for example, just 17% of hotspots the researchers scanned had the recommended WPA2 setting for encrypting wireless traffic, and about a quarter of hotspots were open networks, with no encryption at all.

Many of the small businesses running those networks also revealed a lack of security awareness by using default network names with no random element, making it likely they were using default passwords as well (both are bad practices).

Getting WiFi security right is essential for everyone, be it small businesses or owners of home networks.

In fact, unsecure WiFi is one of Sophos’s Seven Deadly IT Sins. You can read more about that and the 6 other sins here.

As far as businesses go, Naked Security can help: here are three tips for small businesses for securing WiFi.

 

[contentblock id=92 img=gcb.png]

 

[contentblock id=75 img=gcb.png]

Whether you’re a business or an average user, cyber security is always a matter of concern for you. Even big corporations and governmental agencies are not immune to such vulnerabilities. Cyber-crimes can have a far more devastating impact on any organization or person than a conventional attack since you’re not even aware of the location of the attacker or even the files and info that such attackers have gained access to.

The ramifications of such attacks are enormous, as the entire economy of a country may be put to risk if attackers target governmental agencies like banks or other financial institutions.

Thus, it is important to know about the vulnerabilities prevailing in cyber-world so that you could take preventive measure to avert such an attack. So, keep reading to find out five cyber-security vulnerabilities present in the contemporary online world.

1. Buffer Overflows

Buffers are sequential section of memory. Such sections store different character strings or even a set of integers. Buffer overflows happen when there is an overflow of data in a particular buffer of a defined length. The buffers are unable to handle such huge amounts, and hence, Buffer Overflows happen.

These attacks occur when the attacker is aware of the target’s space allocation system and buffer management. He can send a code with malicious data to the target system. Since the application will not be able to handle so much of data, hence it will use more buffer than allocated to it. This info is sent back to the hacker, and he can exploit this vulnerability in his favor.

2. Injection Vulnerabilities

This is a very common flaw and is quite effective for the hackers. In such a vulnerability, an application sends untrusted data to an interpreter. SQL, XPath, XML parsers, LDAP are some of the applications that are affected by it. Though, such flaws are very easy to discover through proper analysis of the code. But they are quite difficult to find when they are in “Testing situations”. Such attacks cause data loss which ultimately leads to loss of sensitive data. Even the entire control over the target computer can be accessed.

3. Sensitive Data Exposure

This situation occurs when some unauthorized person gains access to the sensitive data of the users. Sensitive data exposure, generally, happens when an ‘unprotected’ set of data is transmitted between different cyber-entities. Although, it can even happen when the data is at rest. The attacker could hack the data, or intercept such data. The primary reason for such attacks is the lack of encryption. If your organization’s data is not properly encrypted, then you may face the dangers of exposure of such data to the entire world.

4. DDoS attacks

DDoS (Denial of Service) Attacks are one of the most annoying things on this list. Such attacks are used to flood the target’s server with so much traffic that their servers crash. DDoS attacks can also be used as a smoke screen to divert the attention of the concerned IT team and carry out something even more dreadful. The attacks are getting advanced each day, and if proper actions are not taken then, it may even lead to many companies losing their data or even their customers.

5. Social Media Attacks

Social Media attacks are rampant today. Social media contents are used by the attackers to distribute malware or steal sensitive data. The attack is dreadful in the sense that it is very easy for the attackers to spread its effect to a large section in almost no time. Such attackers are in the constant hunt to device new technique to exploit social network vulnerabilities.

Endnote

The attacks listed above are some of the most cyber-threats existing in the cyber-world today. Although, the list is neither conclusive nor comprehensive. There are other susceptibilities too like Broken Authentication, Session Management, and Security Misconfiguration, but here we have included only the most common threats.

 

[contentblock id=74 img=gcb.png]

There’s nothing more distracting for a motorist than having to pull over and protect yourself from zombie genitals, but at least a vandalized road sign cared enough to suggest what might work to do so.

On Monday, Matt Sweeting-Woods posted a video titled “modern vandalism” on Instagram.

It displayed a traffic sign in Ottawa’s Stittsville neighborhood that had been tampered with to display this advisement:

ZOMBIE D*CKS AHEAD!

PROTECT YOUR VAGINA

— USE CONDOMS

According to Canada’s National Post, it’s not clear when the sign was messed with.

Sgt. Dan Berrea of the Ottawa police told the publication that police would open an investigation only if they received a complaint.

Note that we’re not saying the sign was hacked remotely.

Granted, the road sign likely wasn’t supposed to display messages about safe zombie sex.

The portable signs more typically display messages to inform drivers that an exit’s closed, or that there’s construction work ahead, rather than stating things like…

Rather than being hacked remotely, it’s more likely that people got in to the control panel to manually mess with the messages on all those road signs.

In the case of the reptilian Republican message, put up on a road sign in June, Texas Department of Transportation’s Ryan LaFontaine said that the signs can’t be tampered with remotely:

You have to actually be there. Power it up and get in there and break the password.

“Break,” or maybe just “guess at,” or, then again, perhaps “find the spot where somebody scribbled it down”?

You’d think we’d all know better than to put passwords onto sticky notes or, say, scribble it onto a highway sign, but alas!

We do not.

As LaFontaine pointed out, messing with these signs constitutes a serious crime. In the US, it’s a third-degree felony punishable with prison time.

And of course, for safety’s sake, we really do need to keep from distracting motorists.

[contentblock id=92 img=gcb.png]

 

[contentblock id=71 img=gcb.png]

mds-week-4

 

 

 

 

 

 

 

 

National Cybersecurity Awareness Month: Week Four

Our Continuously Connected Lives: What’s Your “Aptitude”?

For those of us in the technology world, the blistering pace at which innovation hits the market is a reality that we thrive on. We seek out new software and devices like many children long for Christmas gifts. In connection with our affinity for technology and connectedness, many of us grow complacent with the latest buzz generating device and continue to look forward to the next big thing.

In terms of cybersecurity, the breakneck speed at which technology moves doesn’t always lend itself to a sound footing when it comes to safety. Often times, the pace of innovation in connectivity exceeds the cybersecurity thought processes for many devices. Yet, with the tremendous benefits that technological innovations can deliver, these developments also come with increased risks and vulnerabilities that shouldn’t be minimized. It follows that those of us who seek out increased connectivity will need mounting levels of awareness to the growing risks that are presented coupled with thorough strategies to protect our devices, data, and digital lives in this brave new world.

From the view of someone who evangelizes the necessity of security, the current approach to technical innovation appears to operate on an “invent first, secure second” paradigm. While this approach may lead to unencumbered product launches, it may not fully consider the long-term ramifications of myopathy on the cybersecurity front. Many technical experts have long expounded the need for cybersecurity to be a foundational element within innovation in lieu of a process that is simply tacked on as an afterthought to connectivity.

An appropriate case study of this phenomenon would be the rise of IoT devices, which run the gamut from thermostats to fully automated, self-driving cars. There are countless articles that point to the particular susceptibility these IoT devices present in terms of lacking security. Certainly, we can all agree that having our thermostats hacked is not something anyone desires, but having a vehicle hacked presents an altogether more life threatening situation. Yet, the future of cybercrime and hacking may well hinge on this transition from data theft to tangible physical harm emanating from these cyber threats.

Given the gravity of this all but certain transition, the public’s aptitude for living in a continuously connected world must increase. Just as walking alone at night on a city street requires heightened awareness to our surroundings, our new, always on, digital age will also require ongoing vigilance in response to the threats that emerge around us. This evolution in the way we live shouldn’t surprise us as the history of mankind is one of continual innovation and change.

Given the certainty of change and the emergence of criminals ready to exploit it, consumers and technology providers must both be equally committed to employing wisdom, precaution, and perhaps a healthy dose of paranoia before we plug in to fully connect our lives. Thankfully, there are an abundance of resources to help us develop an aptitude for digital security.

 

[contentblock id=74 img=gcb.png]

Cybersecurity Evangelist says financial cybercrime in 2017 will shift focus to businesses.

Limor Kessem, a top cyber-intelligence expert at IBM Trusteer, expects things to get very intense in 2016 as more organized crime groups step up their presence in the digital realms. Her predictions are worth paying heed to as the trends IBM Security predicted in 2016 exceeded even their own forecasting.

Kessem points out that today’s organized cybercriminals are highly experienced developers, with an average age of 35. These are not the young hackers most of us imagine holed up in their parent’s basements, chugging designer caffeinated drinks, while they sit in front of multiple screens clacking away at their keyboards.
Today’s cybercriminals are often members of organized cybercrime “mobs.” They consist not only of the attackers (hackers) they are also headed by crime bosses and include other criminals who know how to move the stolen funds through the money laundering process.

With larger companies becoming better defended, cybercriminals are moving down to the SMB market. This is bad news for smaller business owners who feel that because their annual revenue is less that the larger organizations, they can cut their security spending. These cybercriminals know that small businesses don’t invest as much in security and they are good at finding weak targets.

In a recent article written by Rob Rudloff, Partner-in-Charge of the Cyber Security Risk Services at RubinBrown, one of the nation’s top 50 accounting and business consulting firms, he recommends a multi-pronged approach to protecting your company against cyber-criminals. Among his tips are to create a culture where it is OK for employees to self-report if they have clicked on something potentially harmful. Rudloff also reminds readers to implement internal controls and to understand that proper technology is part of the overall solution.

The trend of using customized malware and software development expertise, which made 2015 highly profitable for cyber-criminals, will continue in 2016. Industries that can expect to be targeted most often again this year are computer services, retail and healthcare.

 

 

[contentblock id=74 img=gcb.png]

How do you shame an unencrypted website?

The bard might advise that your sites be foul, undigested lumps, and the developers scullions! Rampallians! Fustilarians!

Then he’d likely threaten to tickle their catastrophes and their venomous toad-tainted nonencryptiousness.

Google Chrome, on the other hand, plans to strip it down: starting in January 2017, the browser will start flagging some unencrypted sites as plain old “Not Secure.”

OK. Well. It’s a start.

The “NS” label is the first step in Google’s eventual plan to shame all sites that don’t use encryption.

On Thursday, Emily Schechter, of the Chrome Security Team, said on the official Google security blog that the first step is to flag HTTP sites that transmit passwords or credit cards.

Then, it’s on to all the other obscene, greasy tallow-catches.

Google’s been pushing toward all-HTTPS for a while now.

In March 2014, during the unveiling of the ever-widening NSA/GCHQ/FBI/et al surveillance state, Google started using an always-on HTTPS connection and encrypting all Gmail messages moving internally on its servers.

At that time, only 50% of requests handled by Google were encrypted.

That meant that some of the web’s most trafficked locations were vulnerable: major news sites, for example, where intruders tinkering with content or spying on us could have major repercussions.

The percentage of encrypted sites has gradually climbed over the past two years. In March, Google’s Transparency Report said that it was securing 75% of our non-YouTube internet traffic.

The company also said that its aim was to hold itself accountable and to encourage others to encrypt so the web would be all that much safer for everyone.

That 75% obviously reflected progress over two years, but it still left 25% of traffic “in the clear,” as cryptographers put it.

That means that the HTTP sites aren’t using the encryption that’s commonly referred to as HTTPS. When a site’s using it, a browser’s address bar will show a padlock.

Without the S added to “HTTP” and the padlock, traffic is traveling without the encryption standard, Transport Layer Security (TLS).

It’s important to note that HTTPS isn’t only about confidentiality – which is how most people think of encryption – but also about authenticity and integrity, which in many cases are even more important.

This means that, without HTTPS, eavesdroppers can not only access the data flowing over the internet, seeing everything we do on a site, but can also intercept it and manipulate it.

When traffic is unencrypted, it opens up our online activities to anyone using the same Wi-Fi at the local coffee shop, who can steal our passwords or banking information. It also enables our online activity to be tracked and sold to advertisers by Internet Service Providers (ISPs).

It allows both governments and cybercriminals to keep an eye on what sites we’re visiting and what we’re reading, as well to alter what we see and where we go, whether that’s to censor content or to divert our banking transactions to the wrong recipients.

Beyond the uptick in encrypted traffic, there have been other improvements: Google recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS.

In addition, since February, when Google released a report on which top sites were using HTTPS, twelve more of the top 100 websites changed their serving default from HTTP to HTTPS.

As it now stands, Chrome indicates HTTP connections with a neutral indicator that doesn’t even hint at the true lack of security for HTTP connections, Schechter explained.

Here’s the plan: starting in January with Chrome 56, password or credit card form fields on non-encrypted sites will be labeled “not secure.”

Then, in following releases, those HTTP warnings will be extended: for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy.

Eventually, all HTTP pages will be labeled non-secure, and the HTTP security indicator will change to the red triangle/exclamation mark that Google uses for broken HTTPS.

Sounds great, for sure, and hopefully Google will manage to do it in a way that users won’t ignore. As Google is no doubt aware, people ignore security alerts up to 87% of the time.

Google isn’t pretending that encryption is easy, but it does offer reassurances that it’s not quite as onerous, or expensive, as it’s previously been.

Google notes that encryption also enables both the best performance the web offers and powerful new features that are too sensitive for HTTP.

Google’s offering set-up guides to get started.

So, obviously, developers, be you as chaste as ice, as pure as snow, but still you turn from encryption, you shall not escape calumny. Get you to an encryptionery.

Go! Farewell! We hope to welcome you anon soon to the land of HTTPS!

[contentblock id=92 img=gcb.png]

[contentblock id=71 img=gcb.png]

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282