Latest news with #E2EE
Yahoo
11-06-2025
- Business
- Yahoo
WhatsApp tells BBC it backs Apple in legal row with UK over user data
WhatsApp has told the BBC it is supporting Apple in its legal fight against the UK Home Office over user data privacy. The messaging app's boss, Will Cathcart, said the case "could set a dangerous precedent" by "emboldening other nations" to seek to break encryption, which is how tech firms keep their users' data private. Apple went to the courts after receiving a notice from the Home Office earlier this year demanding the right to access the data of its global customers if required in the interests of national security. It and other critics of the government's position say the request compromises the privacy of millions of users. The BBC has approached the Home Office for comment. It has previously declined to comment directly on the Apple case. But it has told the BBC the government's "first priority" is "to keep people safe" and the UK has a "longstanding position of protecting our citizens from the very worst crimes, such as child sex abuse and terrorism, at the same time as protecting people's privacy." WhatsApp has applied to submit evidence to the court which is hearing Apple's bid to have the Home Office request overturned. Mr Cathcart said: "WhatsApp would challenge any law or government request that seeks to weaken the encryption of our services and will continue to stand up for people's right to a private conversation online." This intervention from the Meta-owned platform represents a major escalation in what was an already extremely high-profile and awkward dispute between the UK and the US. Apple's row with the UK government erupted in February, when it emerged ministers were seeking the right to be able to access information secured by its Advanced Data Protection (ADP) system. The argument intensified in the weeks that followed, with Apple first pulling ADP in the UK, and then taking legal action against the Home Office. It also sparked outrage among US politicians, with some saying it was a "dangerous attack on US cybersecurity" and urging the US government to rethink its intelligence-sharing arrangements with the UK if the notice was not withdrawn. Tulsi Gabbard, the director of US National Intelligence, described it as an "egregious violation" of US citizens' privacy. Civil liberties groups also attacked the UK government, saying what it was demanding had privacy and security implications for people around the world. Apple's ADP applies end-to-encryption (E2EE) to files such as photos and notes stored on the iCloud, meaning only the user has the "key" required to view them. The same technology protects a number of messaging services, including WhatsApp. That makes them very secure but poses a problem for law enforcement agencies. They can ask to see data with lower levels of protection - if they have a court warrant - but tech firms currently have no way to provide access to E2EE files, because no such mechanism currently exists. Tech companies have traditionally resisted creating such a mechanism not just because they say it would compromise users' privacy but because there would be no way of preventing it eventually being exploited by criminals. In 2023, WhatsApp said it would rather be blocked as a service than weaken E2EE. When Apple pulled ADP in the UK it said it did not want to create a "backdoor" that "bad actors" could take advantage of. Further complicating the argument around the Home Office's request is that it is made under the Investigatory Powers Act, the provisions of which are often secret. When the matter came to court, government lawyers argued that the case should not be made in public in any way for national security reasons. However, in April, a judge agreed with a number of news organisations, including the BBC, and said certain details should be made public. "It would have been a truly extraordinary step to conduct a hearing entirely in secret without any public revelation of the fact that a hearing was taking place," his ruling stated. At the time, the government declined to comment on the proceedings but said: "The UK has robust safeguards and independent oversight to protect privacy and privacy is only impacted on an exceptional basis, in relation to the most serious crimes and only when it is necessary and proportionate to do so." What Apple pulling Advanced Data Protection means for you Apple pulls data protection tool after UK government security row Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.
Forbes
31-05-2025
- Business
- Forbes
Apple May Offer Major Messages Upgrade To Android And iPhone In Days, Report Says
Apple' Messages app could be about to get much better, if a promise that Apple made earlier in the year comes good at WWDC, the company's big developer conference that kicks off on Monday, June 9. That's down to making messaging more secure. As you'll know, until recently, if a green bubble appeared in your messages, it indicated that it was just a regular SMS message, rather than the end-to-end-encrypted message indicated by a blue bubble. Usually, though not always, green bubbles were because the messages came from an Android phone. The trouble with traditional SMS is it's basic and lacks security, so Apple's decision last year to integrate the more advanced RCS Universal profile was welcome, offering more advanced messages between Android and Apple platforms: rich messages with larger media files and audio. In March this year, Apple announced it would be bringing E2EE to RCS. 'End-to-end encryption is a powerful privacy and security technology that iMessage has supported since the beginning, and now we are pleased to have helped lead a cross-industry effort to bring end-to-end encryption to the RCS Universal Profile published by the GSMA. We will add support for end-to-end encrypted RCS messages to iOS, iPadOS, macOS, and watchOS in future software updates,' Apple said. Google swiftly followed suit, saying it was 'committed to providing a secure messaging experience.' Now, 9to5Mac is reporting that since RCS arrived for the iPhone a year ago, that E2EE could be imminent: 'With this capability incorporated into the standard, all Rich Communication Standard (RCS) messaging between iPhone and Android users would be completely unreadable to backend intermediaries—its contents encrypted, scrambled into gibberish, and only unlockable by the decryption key stored on the user devices,' it said. 'What better place to demonstrate Apple's device privacy and security lead,' than at WWDC, the report asks. Just don't expect those green bubbles to go anywhere.
Forbes
28-04-2025
- Forbes
Google's Gmail Upgrade—Why You Need To Change Your App
Take this new warning seriously NurPhoto via Getty Images Update: Republished on April 28 with new report into AI fueled email attacks. As an interesting week for Google comes to an end, with Gmail under attack from hackers and Chrome under attack from legislators, a new warning has been issued for its 3 billion users. This was entirely predictable — and you need to take it seriously. As I've said before, the flurry of excited headlines that followed Google's announcement that it was bringing end-to-end encryption to Gmail were premature. Putting aside the fact this isn't really end-to-end encryption, because a user's organization controls the security and not their own client or 'end,' there are other serious concerns. End-to-end encryption doesn't work in email. By its nature, it's an open architecture. That's why it's one of the few data types excluded from Apple's end-to-end encrypted enclave under its Advanced Data Protection. Platforms such as Proton provide a walled garden to address this and password protect emails sent outside. Google can end-to-end encrypt emails within an organization or when it's Gmail to Gmail as it controls both ends, albeit that's still not strictly end-to-end encryption per the point above. But when the recipient 'is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.' Wired correctly warns that 'the fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.' The other issue is that end-to-end encrypting emails breaks other Gmail features. Its new AI-powered relevancy search, for example, can't operate on encrypted emails, so they will be missing from any results. As Google confirmed to me, its cloud AI processing rightly can't see fully encrypted user content. All these problems stem from the same cause. Email needs a rethink. It's an archaic platform reliant on a past-due architecture. It's similar to SMS, an open standard that worked for decades but then ran out of steam. Users now demand less spam and scams, better authentication as to who's contacting them, and secured content in messaging. Google says it will add a warning with its new encrypted emails, telling users 'be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.' But as MalwareBytes suggested to Wired, 'it's almost as if someone at Google knew this was a bad idea and asked for a warning to be added. It's quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.' And the acceleration of AI-fueled phishing attacks makes this more dangerous and likely to scale more quickly as well. This is the same reason you're seeing warnings that email attacks can even seem to come from Google itself. And similarly, a new warning has hit Zoom users with a device take-over attack that seems to come from Zoom. Polymorphic phishing, a form of AI mass customization to tweak individual emails at scale to evade detection is accelerating fast. 'Polymorphic phishing emails have become highly sophisticated,' Security Week warns, 'creating more personalized and evasive messages that result in higher attack success rates. Of all phishing emails we analyzed, 82% contained some form of AI usage, a 53% year-over-year increase.' Remember, the exploitation of Gmail's new encryption per the various warning now being issued relies on phishing emails being sent out, dressed up as Google's encrypted email notifications with a link. All of which is now ridiculously simply with AI. As the team warns, 'AI scans publicly available data on the victim's role, interests, and communication style to send a personalized and convincing message.' All of which means the lure around the encrypted email link can be fully personalized. If you're in a new job or a new home, the secure document might pretend to link to that. The enterprise email market is flying, 'with more businesses and individuals relying on email as a primary means of communication, the demand for advanced email solutions has skyrocketed,' per a new industry report. But that growth is driven by the easy of deployment of cloud platforms — including Gmail — and its openness. Encrypting email content within an organization does make sense, as does the occasional restricted email sent between email platforms. But the idea that fully encrypted email becomes mainstream will not work with today's platforms. And so, if you want fully encrypted comms, just use a different app.
Forbes
27-04-2025
- Forbes
New Gmail Feature Leaves Millions Of Email Users Open To Attack
Gmail users warned as new feature brings risk of attack. Update, April 27, 2025: This story, originally published April 25, has been updated with new information from security experts concerning Google alert impersonation attacks that target Gmail users and further advice to mitigate the Gmail encryption message threat to users of other email platforms. Love it or loathe it, with nearly 2 billion users, Google's Gmail platform cannot be ignored. That's certainly the case when it comes to hackers, scammers and cybercriminals of all types. They are drawn to the web-based email service like no other. All email platforms are targeted by criminals, that's for sure, but Gmail has the biggest bullseye on its back courtesy of that user base. Sophisticated new Gmail threats are constantly being reported, while Google responds with security updates to counter them. Some updates that have long been anticipated by eager users could, however, spread the risk of attack beyond just those folks using Gmail. That's the warning from one leading cybersecurity expert as Google introduces end-to-end encryption for Gmail. Here's what you need to know. Generally speaking, you would not talk about the addition of encryption to a platform as anything other than a blessing for those who value security and privacy. When Google announced that it was bringing end-to-end encryption to all businesses, I was certainly excited, not least because it has been a long time coming. To coincide with the 21st birthday of Gmail, Google said it would be rolling out the ability for enterprise users 'to send E2EE messages to any user on any email inbox with just a few clicks.' The process by which this encryption service works involves a kind of protective bubble that surrounds the email in question. So, what's the issue? Well, if you send such an encrypted email bubble to a Gmail user, then it gets automatically decrypted in their inbox, no problem there. If the recipient isn't a Gmail user, however, they are presented with an invite to view the email within a restricted version of Gmail, using a Google Workspace guest account. As Jérôme Segura, the senior director of threat intelligence at Malwarebytes, told Wired, 'users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.' We already know how AI-powered phishing attacks are blurring the lines between reality and risk, and you can be sure that scammers will be looking for the best way to create fake invitations within a convincing threat campaign to gain access to the potential victim's email account credentials. It's not just the addition of the end-to-end encryption feature that could enable malicious actors to attack email users while disguised as genuine Gmail communications. As I recently reported, Google impersonation is rife among those who would use trickery and guile to relieve you of your Gmail account credentials. What has become known as the Gmail Subpoena attack employed trust in Google's own protections and platforms, sending a fake security alert from a genuine Google domain to bypass the strict DomainKeys Identified Mail authentication checks employed by Gmail. The email alert was sent from an absolutely legitimate 'no-reply@ address. What's more, Gmail even 'helpfully' sorted it into the same conversation that contained other Google security alerts. The scam relied upon the apparent legitimacy of the email along with the sense of urgency and fear created by receiving notification that a supposed subpoena requiring Google to produce a copy of the Gmail account content had been served. The victim was advised that they could examine the subpoena itself or lodge a formal protest. The stinger being, of course, that doing either required them to follow the instructions given and that would lead them to fake Google support pages that, inevitably, would require an account security confirmation and ultimately, dear reader, account compromise. James Shank, director of threat operations at Expel, warned at the time that there are scaling, performance, and legacy support issues to be taken into account whenever developers design security controls, and that includes the likes of DomainKeys Identified Mail authentication controls. You have to remember that these controls are 'optimized for a specific, intended task and should be implemented with the understanding of these constraints,' Shank said. Which means that just because an email message passes DKIM authentication, that is no ironclad guarantee that it is safe. 'DKIM validation failure does indicate a problem,' Shank conceded, 'but the inverse, successful DKIM validation, doesn't necessarily mean the message is benign. ' Whereas the security industry is it seems, always looking for definite signals to determine if something is either good or bad safe or dangerous, secure or insecure, there is a third state as seen with the whole DKIM authentication process. That state, Shank said, is 'it's valid in this very specific way.' It's critical, therefore, Shank continued, that when determining any action you make sure protection actions are driven with the full context of what the security control states. 'In this case, DKIM won't flag the message,' Shank said, 'but other controls responsible for content detection and filtration should still assess the message content.' Gmail spokesperson Ross Richendrfer told me that Google has now rolled out updated security measures to counter the techniques used by the Gmail Subpoena threat actor in these highly targeted attacks. Don't be fooled into thinking that it's just Gmail users who are subject to genuine domains being used in email-based attacks, as I reported on February 24, PayPal users have been caught out in a very similar way. Don't be fooled into thinking that it's just Gmail users who are subject to genuine domains being used in email-based attacks, as I reported on February 24, PayPal users have been caught out in a very similar way. As I said in the original article, getting an email from someone claiming to be PayPal and suggesting you've added a new address to your account and purchased a MacBook M4 might appear to have all the hallmarks of a scam, but when that email originates from a genuine PayPal email domain things are not that clear cut. The phishing emails in question were, you see, sent from a quite genuine and authenticated PayPal email address of service@ In the case of the PayPal attacks, the trick was to use a gift address that had been added to a genuine account in order to generate the email text, to be edited by the attacker at a later date. The email headers in question showed that the emails were sent to a no-reply address and were then being forwarded to a mailing list that contained the addresses of the victims in the sting. Adding a scam address to PayPal generated a confirmation email sent to the address of the threat actor, which was then forwarded to the mailing list. 'PayPal takes seriously our efforts to protect customers from evolving scams and fraud activity, including this common phishing scam,' A PayPal spokesperson said. 'We encourage customers to always remain mindful online and to visit for additional tips on how to protect themselves.' Such phishing attack risks are not, by any means, restricted to Gmail alone. Any email platform is exposed to this kind of attack, with scammers using fraudulent alerts and malicious links to entrap victims. As part of the process to alert users to the potential risk of such threats, Google has even added this warning to the encrypted email invitations that will be sent to non-Gmail users: 'Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.' Richendrfer said that the new Gmail end-to-end encryption update has been built from the ground up with this kind of risk firmly in mind. 'The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file,' Richendrfer confirmed. 'All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well,' Richendrfer advised. Google will never ask for any of your account credentials, Richendrfer concluded, including Gmail account passwords, one-time 2FA passwords or to confirm push notifications.
Forbes
26-04-2025
- Forbes
New Gmail Upgrade — Millions Of Email Users Now At Risk Of Attack
Gmail users warned as new feature brings risk of attack. Update, April 26, 2025: This story, originally published April 25, has been updated with information concerning Google alert impersonation attacks that target Gmail users and further advice to mitigate the Gmail encryption message threat to users of other email platforms. Love it or loathe it, with nearly 2 billion users, Google's Gmail platform cannot be ignored. That's certainly the case when it comes to hackers, scammers and cybercriminals of all types. They are drawn to the web-based email service like no other. All email platforms are targeted by criminals, that's for sure, but Gmail has the biggest bullseye on its back courtesy of that user base. Sophisticated new Gmail threats are constantly being reported, while Google responds with security updates to counter them. Some updates that have long been anticipated by eager users could, however, spread the risk of attack beyond just those folks using Gmail. That's the warning from one leading cybersecurity expert as Google introduces end-to-end encryption for Gmail. Here's what you need to know. Generally speaking, you would not talk about the addition of encryption to a platform as anything other than a blessing for those who value security and privacy. When Google announced that it was bringing end-to-end encryption to all businesses, I was certainly excited, not least because it has been a long time coming. To coincide with the 21st birthday of Gmail, Google said it would be rolling out the ability for enterprise users 'to send E2EE messages to any user on any email inbox with just a few clicks.' The process by which this encryption service works involves a kind of protective bubble that surrounds the email in question. So, what's the issue? Well, if you send such an encrypted email bubble to a Gmail user, then it gets automatically decrypted in their inbox, no problem there. If the recipient isn't a Gmail user, however, they are presented with an invite to view the email within a restricted version of Gmail, using a Google Workspace guest account. As Jérôme Segura, the senior director of threat intelligence at Malwarebytes, told Wired, 'users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.' We already know how AI-powered phishing attacks are blurring the lines between reality and risk, and you can be sure that scammers will be looking for the best way to create fake invitations within a convincing threat campaign to gain access to the potential victim's email account credentials. It's not just the addition of the end-to-end encryption feature that could enable malicious actors to attack email users while disguised as genuine Gmail communications. As I recently reported, Google impersonation is rife among those who would use trickery and guile to relieve you of your Gmail account credentials. What has become known as the Gmail Subpoena attack employed trust in Google's own protections and platforms, sending a fake security alert from a genuine Google domain to bypass the strict DomainKeys Identified Mail authentication checks employed by Gmail. The email alert was sent from an absolutely legitimate 'no-reply@ address. What's more, Gmail even 'helpfully' sorted it into the same conversation that contained other Google security alerts. The scam relied upon the apparent legitimacy of the email along with the sense of urgency and fear created by receiving notification that a supposed subpoena requiring Google to produce a copy of the Gmail account content had been served. The victim was advised that they could examine the subpoena itself or lodge a formal protest. The stinger being, of course, that doing either required them to follow the instructions given and that would lead them to fake Google support pages that, inevitably, would require an account security confirmation and ultimately, dear reader, account compromise. Gmail spokesperson Ross Richendrfer told me that Google has now rolled out updated security measures to counter the techniques used by the Gmail Subpoena threat actor in these highly targeted attacks. Such phishing attack risks are not, by any means, restricted to Gmail alone. Any email platform is exposed to this kind of attack, with scammers using fraudulent alerts and malicious links to entrap victims. As part of the process to alert users to the potential risk of such threats, Google has even added this warning to the encrypted email invitations that will be sent to non-Gmail users: 'Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.' Richendrfer said that the new Gmail end-to-end encryption update has been built from the ground up with this kind of risk firmly in mind. 'The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file,' Richendrfer confirmed. 'All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well,' Richendrfer advised. Google will never ask for any of your account credentials, Richendrfer concluded, including Gmail account passwords, one-time 2FA passwords or to confirm push notifications.
