December has brought some interesting developments in the world of cyber security. The :irst topic shows a new encryption feature for Google’s Gmail. Also highlighted is a data breach from a well-known password manager, LastPass. Finally, GitHub will soon be implementing an extra security mechanism for all users.
END-TO-END ENCRYPTION FOR GMAIL
Google has announced that end-to-end encryption (E2EE) will be coming to Gmail on the web. E2EE is a secure communication method that encrypts data on the sender’s system before transferring it, allowing only the intended recipient to decrypt the data. This data cannot be accessed or modi:ied by third parties while it is being transferred, because the decryption key is only known by the recipient. Gmail will encrypt the email’s body and any attachments, but will not encrypt the subject, timestamps, or the recipient list. Gmail’s E2EE is currently only a beta feature for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. Those who would like to apply for this beta have until January 20th, 2023, to submit their application.
LASTPASS DATA BREACH
LastPass, a popular password manager application, has recently experienced a breach of their cloud storage, resulting in customer vault data being exposed. This data includes users’ full names, email addresses, billing addresses, phone numbers, and fully encrypted usernames and passwords. LastPass encrypts data with 256-bit AES encryption, and the data can only be decrypted using a key derived from the user’s master password, which LastPass does not store. Customers of LastPass with a weak master password, could be vulnerable to a brute force attack that would allow an attacker to gain access to all the user’s stored credentials. This would be very dif:icult for an attacker if the user follows the password best practices recommended by LastPass. If the master password is strong and complex, then it would take thousands or even millions of years to brute force the password using today’s password cracking technology.
GITHUB TWO-FACTOR AUTHENTICATION REQUIREMENT
By the end of 2023, GitHub will require all 94 million users on the platform to enable two-factor authentication (2FA) to increase account security. An account takeover for a GitHub user can have a very negative impact especially if malicious code is introduced into a project, because users of the project will be affected as well. GitHub will start rolling out the 2FA mandate in March of 2023 to select groups of users. Before expanding the requirement to all users, GitHub will evaluate the initial rollout to measure account lockout and recovery rates, as well as support ticket volumes. GitHub’s requirement of 2FA will allow users to feel safer when downloading code from repositories, and overall will make the platform more secure and trustworthy.