Well, how was everybody’s weekend? For me it was a cold, damp place here in my apartment in Chi Town. In fact, when the weather finally warmed up yesterday, it was about 10 degrees warmer than inside my apartment. Don’t understand that one. Well anyways, I had a little bit of excitement with my little virtual private server. Over the weekend, without my choice, Windows decided to do an update o sorts (this is not the one where it just takes a few minutes, but rather, where it took almost two hours).
Well, during this process, somewhere and somehow, my remote desktop connection to the server couldn’t work. It said something about an Oracle encryption issue. So I called tech support, and after spending over an hour on the phone with them, we finally found the resolution.
Apparently, the updates messed something up with the connection to the virtual private server, so I had to manually edit the registry and add a new line and decimal value in there. Now it all seems to work just fine. But, this brings up an entirely new topic, of which I have not talked too much about on this post. That is, the science of Cryptography, and encryption.
You probably have heard about it in all of the latest headlines, to use what is known as “Encryption”. This is simply the art of scrambling a message into a garbled format so that if a Cyber attacker were to intercept it, for the most part, it would be rendered as useless. Take for example an email message at work. You draft up something confidential for your boss, and somewhere in your email package, you have an option to encrypt the message.
This will put that message into a garbled state, until your boss receives it, and unscrambles it. But usually these days, this process is totally automatic, and it all happens behind the scenes. There are many free software packages that will do this for you. Two such popular tools widely used are known as “PGP” and “S/MIME”.
But however, a team of researchers from Europe have found some critical security issues with these two software packages. The bottom line is that while you may be thinking that your email message to your boss is all safe and such, it really may not be. It still may remain in its original, or ungarbled format. This is also known as “Plaintext”.
An even greater risk: If you have used these two software packages in the past for older e-mail messages, they may be a grave risk as well. Here is a more technical overview into what these two software packages are exactly all about:
“PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.”
“S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.”
Yea, I know that there is a lot of techno jargon associated with all of this, especially with the last quote. But don’t read too much into them, I just wanted to share with all of you some further details on what these software packages are about, in case you never have heard of them before.
But interestingly enough, there are no details on these specific vulnerabilities, or how to fix them, or even if there are any software patches/upgrades that are available. The only recommendation provided was to simply uninstall these two software packages, and use some other alternative tools, such as “Signal”. This package can be downloaded here:
The only other specific information offered was that the following plugins were impacted from within these two packages:
- Thunderbird with Enigmail
- Apple Mail with GPGTools
- Outlook with Gpg4win
Finally, the security researchers claimed that it is not the actual encryption process that is flawed, but in the way the unscrambling or “decryption” process works in the above mentioned plug ins. I wish there was more I could offer, but at this point, I cannot. I really don’t use the above S/MIME and PGP. I would say that if you use these two packages, perhaps pay more attention to them, or just don’t use them at all for the time being.
There are plenty of other free encryption tools out there, and a simple Google search will reveal them all. In the meantime, if I have any updates, I will be sure to post them on this blog site.