Introduction

The possibility to impose EU obligations to messaging services using end-to-end encryption to cooperate with law enforcement agencies has been dominating justice and home affairs discussions for some time now, as a way to better prepare for planned terrorist attacks throughout Europe. A Council of Home Affairs Ministers endorsed on 14 December 2020 a Council Resolution on Encryption, paving the way to create a regulatory framework to that effect.

Since 2015, a series of campaigns run alternately by Europol and the Federal Bureau of Investigation, or the services of the "Five Eyes"1 alliance, were building towards the development of this Council Resolution. In October, Interior Ministers of the alliance called on the internet companies once again to equip their IT networks with backdoors so that law enforcement agencies and competent authorities could access end-to-end encrypted apps to police online criminality.

Overview

The Council Resolution (Resolution) on Encryption has been in the works for some months now. The German Presidency has concluded the work on the Resolution that could lead in the long term to a ban of end-to-end encryption for messenger services, to allow investigating authorities to have direct access to end-to-end encrypted communications from such providers.

Even though this proposal was originally initiated by the UK, it was picked up by Germany in 2019, and France has been pushing this proposal throughout the year with renewed impetus following the terrorist attacks in France and Austria.

What Is at Stake?

However, necessary safeguards need to be established to ensure EU citizens' privacy is respected and cybersecurity systems are not compromised. The Resolution underlines that "Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organized crimes and terrorism, including in the digital world, and upholding the rule of law, are extremely important."

Most importantly, it is noted that "Any actions taken have to balance these interests carefully against the principles of necessity, proportionality and subsidiarity." With the adoption of the Resolution, there is a clear message on the need to develop an EU regulatory framework and to further assess how such a framework would be established.

Importantly, the regulatory framework should encompass technical and operational solutions to be developed with service providers and relevant stakeholders to enable access to authorities to encrypted data.

At this point, the legislative route by which they would be given effect is uncertain. However, considering the Council has not directly asked the European Commission to prepare a legislative proposal, it is most likely that a future legislative measure would be introduced within the national security remit, in a form of a Council Decision, which would require unanimity voting to be adopted. France, Germany and Austria appear to be the countries to lead the efforts to create such a regulatory framework, following the adoption of the Resolution.

Similarly, the adoption of the Resolution could also have an impact vis--vis the implementation of the European Electronic Communications Code (EECC, Directive EU/2018/1972), due by 21 December 2020. Member states could leverage the adoption of the Resolution to adopt their own measures at national level using the provisions of EECC Article 3(c) that the "Directive is without prejudice to ... actions taken by member states for public order and public security purposes and for defence."

Conclusions

Whereas the adoption of the Resolution aims to put a framework in place that would strengthen investigative powers against terrorism, services using end-to-end encryption could face a significant risk. The Resolution calls on the tech industry to devise mechanisms under which encrypted data can be accessed by competent authorities, while complying with "the principles of legality, necessity, proportionality and subsidiarity". Notwithstanding the principle of the Resolution, creating backdoors to communication services analogous to the lawful intercept capability required of telecommunications operators could weaken IT security and could incite action by cyber criminals and foreign intelligence services.

The broad range of consequences to the tech sector stemming from the Resolution should be closely monitored and assessed. We stand ready to provide assistance in advising clients on the most effective strategic business decisions and legal considerations in this context.

Link:
Are We Heading Towards EU Legislation Banning End-to-End Encryption? - Lexology

A security firm has gone public with claims that it cracked the encryption used by messaging app Signal, which is famed for the level of privacy afforded to its users.

According to a blog post published by Israeli company Cellebrite, decrypting messages and attachments sent with Signal has been all but impossible...until now.

The firm goes on to set out the method by which it was allegedly able to decrypt messages sent using the Signal app for Android. No mention was made of the iOS version.

The blog post offers up a long-winded and technical explanation but, in short, Cellebrite says it was able to get hold of the decryption key by reading a value from the shared preferences file.

The firm then used information found in Signals open source code to establish how the key could be used to decrypt a database containing messages and attachments.

Since first publication, however, the blog post has been altered significantly, with the description of the method removed entirely. Signal was also quick to dismiss the claims, which the company has suggested are reductive to the point of being misleading.

This was an article about advanced techniques Cellebrite uses to decode a Signal message db...on an *unlocked* Android device! They could have also just opened the app to look at the messages, said Moxie Marlinspike, Signal creator.

The whole article read like amateur hour, which is I assume why they removed it, he added.

The suggestion is that cracking Signal encryption on a locked Android device is another question entirely and conducting the test using an unlocked phone defeats the object, because messages would be accessible anyway.

If Cellebrites claims hold water, though, it is possible the firm removed the meat of the post for another reason entirely, according to an expert in computer science.

I suspect someone in authority told them to [alter the post], or they realised they may have provided enough detail to allow others - who dont just supply to law enforcement agencies - to achieve the same result, said Alan Woodward, University of Surrey.

Via BBC

View post:
Signals famous encryption may have been cracked - TechRadar

We've already looked at the possible cybercrime landscape for 2021, but what about the other side of the coin? How are businesses going to set about ensuring they are properly protected next year?

Josh Bregman, COO of CyGlass thinks security needs to put people first, "2020 has been incredibly stressful. Organizations should therefore look to put people first in 2021. Cybersecurity teams are especially stressed. They've been tasked with securing a changing environment where more people than ever before are working remotely. They've also faced new threats as cyber criminals have looked to take advantage of the pandemic: whether through phishing attacks or exploiting weaknesses in corporate infrastructure. Being proactive, encouraging good cyber hygiene and executing a well thought out cyber program will go a long way towards promoting a peaceful and productive 2021, not least because it will build resiliency."

Mary Writz, VP of product management at ForgeRock thinks quantum computing will change how we think about secure access, "When quantum becomes an everyday reality, certain types of encryption and thereby authentication (using encrypted tokens) will be invalidated. Public Key Infrastructure (PKI) and digital signatures will no longer be considered secure. Organizations will need to be nimble to modernize identity and access technology."

Gaurav Banga, CEO and founder of Balbix, also has concerns over quantum computing's effect on encryption, "Quantum computing is likely to become practical soon, with the capability to break many encryption algorithms. Organizations should plan to upgrade to TLS 1.3 and quantum-safe cryptographic ciphers soon. Big Tech vendors Google and Microsoft will make updates to web browsers, but the server-side is for your organization to review and change. Kick off a Y2K-like project to identify and fix your organization's encryption before it is too late."

Sharon Wagner, CEO of Sixgill predicts greater automation, "We'll see organizations ramp up investment in security tools that automate tasks. The security industry has long been plagued by talent shortages, and companies will look toward automation to even the playing field. While many of these automated tools were previously only accessible to large enterprises, much of this technology is becoming available to businesses of all sizes. With this, security teams will be able to cover more assets, eliminate blindspots at scale, and focus more on the most pressing security issues."

Michael Rezek, VP of cybersecurity strategy at Accedian sees room for a blend of tools and education, "As IT teams build out their 2021 cybersecurity strategy, they should look most critically to network detection & response solutions (NDR), and other complementary solutions like endpoint security platforms that can detect advanced persistent threats (APT) and malware. For smaller companies, managed security services such as managed defense and response are also good options. However, a comprehensive security strategy must also include educating all employees about these threats and what to watch out for. Simple cybersecurity practices like varying and updating passwords and not clicking on suspicious links can go a long way in defending against ransomware. Perhaps most importantly, since no security plan is foolproof, companies should have a plan in the event of a ransomware attack. This is especially important since attackers might perform months of reconnaissance before actually striking. Once they have enough data, they'll typically move laterally inside the network in search of other prized data. Many cybercrime gangs will then install ransomware and use the stolen data as a back-up plan in case the organization refuses to pay. The more rapidly you can detect a breach and identify what information was exploited, the better your changes of mitigating this type of loss. Having a plan and the forensic data to back it up will ensure your organization and its reputation are protected."

Amir Jerbi, CTO at Aqua Security, sees more automation too, "As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets."

Marlys Rodgers, chief information security officer and head of technology oversight at CSAA Insurance Group, inaugural member of the AttackIQ Informed Defenders Council says, "Despite the global COVID-19 pandemic, businesses still have to function and deliver on their promises to customers. This means adapting and finding new ways to enable employees to be productive from the safety of their homes. As CISO and Head of Technology Oversight for my company, I am dedicated to structuring and sustaining a security program that enables the business, as opposed to restricting capabilities in the name of minimizing risk. Additionally, I believe in complete transparency regarding the company's security posture across all levels, including the C-suite and board, so that we may work together to understand our risk and prioritize security investments accordingly. These two guiding principles have served me well throughout my career, but in 2020 especially, they allowed my company to innovate to better serve our customers while simultaneously scaling the security program."

Devin Redmond CEO and co-founder of Theta Lake believes we'll see more focus on the security of collaboration tools, "Incumbent collaboration tools (Zoom, Teams, Webex) are going to get dragged into conversations about privacy law and big tech, further pressuring them to stay on top of security and compliance capabilities. At least two regulatory agencies will make explicit statements about regulatory obligations to retain and supervise collaboration conversations. Additionally, collaboration tools will replace many call center interactions and force organizations on related compliance, privacy, and security risks."

Cybersecurity needs to become 'baked in' according to Charles Eagan, CTO at BlackBerry:

Cybersecurity is, in all too many ways, an after-market add-on. But this kind of model can become a roadblock to comprehensive security -- like plugging the sink while the faucet is already on.

Take, for instance, the connected vehicle market: vehicles continue to make use of data-rich sensors to deliver safety and comfort features to the driver. But if these platforms aren't built with security as a prerequisite, it's easy to open up a new cyberattack vector with each new feature. In many cases, the data that drives Machine Learning and AI is only useful -- and safe -- if it cannot be compromised. Cybersecurity must become a pillar of product and platform development from day one, instead of added on after the architecture is established.

Tony Lauro, Akamai's director of security technology and strategy thinks multi-factor authentication must become the norm, "Over the past 12 months, attacks against remote workers have increased dramatically, and the techniques used to do so have also increased in complexity. In 2021 security-conscious organizations will be compelled to re-evaluate their requirements for using multi-factor authentication (MFA) technology for solutions that incorporate a strong crypto component to defend against man in the middle and phishing-based 2FA bypasses."

Jerry Ray, COO of enterprise data security and encryption company SecureAge, thinks we'll see greater use of encryption, "Throughout most of 2020, VPNs, access controls, and zero trust user authentication became all the rage in the immediate push to allow employees to work from home. As the year ends and 2021 unfolds, though, a greater appreciation for data encryption has been slowly coming to life. As work from home will continue throughout 2021 and the ploys used by hackers to get into the untamed endpoints become more refined and clever, data that can't be used even if stolen or lost will prove the last, best line of defense."

MikeRiemer, global chief technology officer of Ivanti thinks organizations must adopt zero trust, "As employees continue to work from home, enterprises must come to terms with the reality that it may not be just the employee accessing a company device. Other people, such as a child or spouse, may use a laptop, phone, or tablet and inadvertently download ransomware or other types of software malware. Then, when the employee starts using the device to access a corporate network or specific corporate cloud application, it becomes a rogue device. Without having eyes on employees, how do businesses ensure the user and device are trusted? And what about the application, data and infrastructure? All of these components must be verified on a continual basis every few minutes to maintain a superior secure access posture. That is why organizations must adopt a Zero Trust Access solution capable of handling the hyper-converged technology and infrastructure within today's digital workplace by providing a unified, cloud-based service that enables greater accessibility, efficiency, and risk reduction."

Casey Ellis, CTO, founder, and chairman of Bugcrowd thinks more governments around the world will adopt vulnerability disclosure as a default:

Governments are collectively realizing the scale and distributed nature of the threats they face in the cyber domain, as well as the league of good-faith hackers available to help them balance forces. When you're faced with an army of adversaries, an army of allies makes a lot of sense.

Judging by the language used in the policies released in 2020, governments around the world (including the UK) are also leaning in to the benefit of transparency inherent to a well-run VDP to create confidence in their constituents (neighborhood watch for the internet). The added confidence, ease of explanation, and the fact that security research and incidental discovery of security issues happen whether there is an invitation or not is making this an increasingly easy decision for governments to make.

Image credit: photousvp77/depositphotos.com

Originally posted here:
Encryption, zero trust and the quantum threat security predictions for 2021 - BetaNews

New Jersey, United States,- The report, titled Encryption Software Market Size By Types, Applications, Segmentation, and Growth Global Analysis and Forecast to 2019-2027 first introduced the fundamentals of Encryption Software: definitions, classifications, applications and market overview; Product specifications; Production method; Cost Structures, Raw Materials, etc. The report takes into account the impact of the novel COVID-19 pandemic on the Encryption Software market and also provides an assessment of the market definition as well as the identification of the top key manufacturers which are analyzed in-depth as opposed to the competitive landscape. In terms of Price, Sales, Capacity, Import, Export, Encryption Software Market Size, Consumption, Gross, Gross Margin, Sales, and Market Share. Quantitative analysis of the Encryption Software industry from 2019 to 2027 by region, type, application, and consumption rating by region.

Impact of COVID-19 on Encryption Software Market: The Coronavirus Recession is an economic recession that will hit the global economy in 2020 due to the COVID-19 pandemic. The pandemic could affect three main aspects of the global economy: manufacturing, supply chain, business and financial markets. The report offers a full version of the Encryption Software Market, outlining the impact of COVID-19 and the changes expected on the future prospects of the industry, taking into account political, economic, social, and technological parameters.

Request Sample Copy of this Report @ Encryption Software Market Size

In market segmentation by manufacturers, the report covers the following companies-

How to overcome obstacles for the septennial 2020-2027 using the Global Encryption Software market report?

Presently, going to the main part-outside elements. Porters five powers are the main components to be thought of while moving into new business markets. The customers get the opportunity to use the approaches to plan the field-tested strategies without any preparation for the impending monetary years.

We have faith in our services and the data we share with our esteemed customers. In this way, we have done long periods of examination and top to bottom investigation of the Global Encryption Software market to give out profound bits of knowledge about the Global Encryption Software market. Along these lines, the customers are enabled with the instruments of data (as far as raw numbers are concerned).

The graphs, diagrams and infographics are utilized to speak out about the market drifts that have formed the market. Past patterns uncover the market turbulences and the final results on the markets. Then again, the investigation of latest things uncovered the ways, the organizations must take for shaping themselves to line up with the market.

Encryption Software Market: Regional analysis includes:

?Asia-Pacific(Vietnam, China, Malaysia, Japan, Philippines, Korea, Thailand, India, Indonesia, and Australia)?Europe(Turkey, Germany, Russia UK, Italy, France, etc.)?North America(the United States, Mexico, and Canada.)?South America(Brazil etc.)?The Middle East and Africa(GCC Countries and Egypt.)

The report includes Competitors Landscape:

? Major trends and growth projections by region and country? Key winning strategies followed by the competitors? Who are the key competitors in this industry?? What shall be the potential of this industry over the forecast tenure?? What are the factors propelling the demand for the Encryption Software Industry?? What are the opportunities that shall aid in the significant proliferation of market growth?? What are the regional and country wise regulations that shall either hamper or boost the demand for Encryption Software Industry?? How has the covid-19 impacted the growth of the market?? Has the supply chain disruption caused changes in the entire value chain?

The report also covers the trade scenario,Porters Analysis,PESTLE analysis, value chain analysis, company market share, segmental analysis.

About us:

Market Research Blogs is a leading Global Research and Consulting firm servicing over 5000+ customers. Market Research Blogs provides advanced analytical research solutions while offering information enriched research studies. We offer insight into strategic and growth analyses, Data necessary to achieve corporate goals, and critical revenue decisions.

Our 250 Analysts and SMEs offer a high level of expertise in data collection and governance use industrial techniques to collect and analyze data on more than 15,000 high impact and niche markets. Our analysts are trained to combine modern data collection techniques, superior research methodology, expertise, and years of collective experience to produce informative and accurate research.

Get More Market Research Report Click @ Market Research Blogs

More:
Encryption Software Market Size 2020 by Top Key Players, Global Trend, Types, Applications, Regional Demand, Forecast to 2027 - LionLowdown

One nice thing about democracy is thatat least in theorywe dont need permission to speak freely and privately. We dont have to prove that our speech meets the governments criteria, online or offline. We dont have to earn our rights to free speech or privacy.

Times have changed. Today, some U.S. senators have come to the view that speech in the online world is an exceptional case, in which website owners need to earn itwhether they intend to carefully moderate user content, or let users speak freely. In 2020, two Senators introduced a bill that would limit speech and security online, titled the EARN IT Act, which is also an acronym that stands for Eliminating Abusive and Rampant Neglect of Interactive Technologies.

Using crimes against children as an excuse to blow a hole in critical legal protections for online speech, Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) co-sponsored this law. The original EARN IT Act created a 19-person government commission, stacked with seats reserved for law enforcement, that would create best practices for online platforms to follow. This wouldnt have just targeted big websites like Facebookthe new rules would apply to a local news websites, hobby blogs, and email services, among other online services. Anyone who didnt follow the best practices would lose critical legal protections and could be held liable, or prosecuted, for the actions of the people who use their services.

Its clear what practices law enforcement want Internet companies and website hosts to adopt. U.S. Attorney General William Barr has said it repeatedlyin his view, law enforcement agencies should always have access to encrypted communications. But as weve explained over and over again, encryption with a backdoor is just broken encryption. It doesnt matter if you call the means of accessing encryption client side scanning or endpoint filtering or anything else. Backdoors dont just get used by good guys, either. Authoritarian governments and criminals are always interested in reading other peoples messages.

The structure of the EARN IT Act was designed to allow Internet speech to be monitored by law enforcement. It would have let law enforcement agencies, from the FBI down to local police, to scan every message sent online. Any company that didnt grant law enforcement legal access to any digital message (a best practice sure to have been mandated by the commission) would be subject to lawsuits or even criminal prosecutions. If it had passed, the bill would have been devastating to both privacy and free expression. Thats because without liability protections, websites will censor and regulate user speech, or even eliminate certain categories for speech altogether.

But the original bill didnt even advance out of committeebecause public outcry against it was overwhelming. The law as proposed was so unpopular, the EARN IT Act was amended to reduce the power of the government commission. Rather than creating an authoritative law enforcement-dominated commission, the new version of the EARN IT Act establishes the same commission, but simply makes it advisory. Instead, the bill gives the power to regulate the Internet to state legislatures.

This amended EARN IT Act isnt any better than the original, and in some ways is even worse. It gives wide berth to legislatures in all 50 states, as well as U.S. territories, to regulate the Internet in just about any way they wantas long as the nominal purpose is to stop the online abuse of children. The Senate Judiciary Committee also passed an amendment that purported to protect end-to-end encryption from being violated by the states. That amendment was a worthy nod to the outpouring of concern for the fate of encryption that this surveillance bill had prompted, but it doesnt go far enough.

Looking beyond encryption, the other real target here was Section 230 (47 U.S.C. 230), a law that has been falsely maligned as providing special protection to Big Tech companies. In reality, Section 230 protects the speech and security of everyday Internet users.

Lawmakers in Congress filled the final months of 2020 with ideas about how to weaken Section 230, a federal law that is simply not broken. The PACT Act was an effort to address the dominance of the biggest online platforms, but would end up censoring users and entrenching the dominance of the biggest platforms. Another late 2020 proposal, the Online Content Policy Modernization Act, was simply an unconstitutional mess.

These ideas are going to keep coming back in 2021. Theres justifiable criticism of Big Tech, but its led many politicians into misguided attempts to control online speech, or give police more power to control and surveil the Internet. If a wrongheaded proposal to gut Section 230 passes, the collateral damage could be severe.

We all know there are serious problems in the online world, like disinformation, hateful speech, and eroded privacy. By and large, the big problems arent related to Section 230, which still fulfills its goal of protecting user speech. The big problems exist because a few tech companies have too much power. Giant tech companies act increasingly like monopolies. Their content moderation systems are broken.

We do need new solutions to these problems. And theyre out there: we need to think about beefing up antitrust enforcement, reforming anti-competitive laws like the CFAA, creating strong privacy regulations, freeing user data by making it portable, and creating opportunities for competitive compatibility.

This article is part of our Year in Review series.Read other articles about the fight for digital rights in 2020.

Continue reading here:
In 2020, Congress Threatened Our Speech and Security With the EARN IT Act - EFF