Category Archives: Encryption
HBO Hack Highlights Importance of Encryption, Data Governance – eSecurity Planet
ByJeff Goldman, Posted August 2, 2017
1.5 TB of data, including unreleased episodes of upcoming shows, was stolen and leaked online.
Hackers recently claimed to have breached HBO's systems and stolen 1.5 TB of data including upcoming episodes of Ballers and Room 104, Entertainment Weekly reports.
In response, HBO stated that an incident had "resulted in the compromise of proprietary information," adding, "We immediately began investigating the incident and are working with law enforcement and outside cyber security firms."
In an email to employees, HBO chairman and CEO Richard Plepler wrote, "I can assure you that senior leadership and our extraordinary technology team, along with outside experts, are working round the clock to protect our collective interests. The efforts across multiple departments have been nothing short of herculean."
Protecting Key Data
AlertSec CEO Ebba Blitz told eSecurity Planet by email that the breach should serve as a clear reminder that hacking isn't limited to financial, health and personal information.
"All information is vulnerable because some hackers are motivated by the thrill of it," Blitz said. "They steal because they can, not because the information always has any real long-term value. All data needs to be protected with encryption."
Gemalto CTO of data protection Jason Hart said by email that broadcasters in particular face a unique threat. "Due to the nature of the industry, hackers have the opportunity to access data as it is transmitted between multiple data centers, and so they require solutions to help encrypt their high value TV transmissions -- without interfering with the audience's viewing experience," he said.
"HBO now joins a list of other Hollywood victims of crime such as Netflix and Sony," Hart added. "This incident is another reminder that broadcasters must invest in fundamental security controls and practices -- encryption, key management and two-factor authentication -- to control access to highly sought-after content and protect it in the event that a breach takes place."
Data Governance
Richard Stiennon, chief strategy officer at Blancco Technology Group, said the HBO breach is a great example of the importance of data governance. "Content producers and all the parties involved in shooting, editing and post-production processing and distribution should be on high alert," he said. "They should immediately review their data governance policies and discover the weak links in protecting their content and shore up their defenses. An information governance policy should take into account where critical content resides at all times."
Still, a recent Thycotic survey of over 400 global business and security executives found that four out of five companies don't know where their sensitive data is located or how to secure it.
And while 80 percent of data breaches involve stolen or weak credentials, 60 percent of companies still don't adequately protect privileged accounts. Two out of three companies don't fully measure whether their disaster recovery will work as planned, and four out of five never measure the success of security training investments.
"It's really astonishing to ... see just how many people are failing at measuring the effectiveness of their cyber security and performance against best practices," Thycotic chief security scientist Joseph Carson said in a statement.
Link:
HBO Hack Highlights Importance of Encryption, Data Governance - eSecurity Planet
UpVote: Turkish regime jails IT trainers in encryption clampdown – Ars Technica UK
Chris McGrath/Getty Images
On UpVote this week we discuss Turkey's deepening crackdown against critics of the Erdogan regime, which recently imprisoned IT trainers who were teaching citizens how to secure their digital communications.
We're joined by Amnesty Internationals tech adviser, Tanya O'Carroll, to work out why the net has widened to include tech experts who help human rights' advocates stay safe in a country that is increasingly and chillingly hostile to freedom of speech, following a failed coup to topple president Recep Tayyip Erdogan in 2016.
End-to-end encryption isn't only perceived as a threat to oppressive regimes, however. This week, the UK's home secretary Amber Rudd once again pushed tech firms such as Facebook and Google to do more to prevent terrorists from using their services. Rudd claimed "real people" dont care about an app's security. Is she sure about that?
UpVote is a Wired and Ars Technica UK co-production hosted by Rowland Manthorpe and Kelly Fiveash.
This episode was recorded on Wednesday, August 2.
Read more:
UpVote: Turkish regime jails IT trainers in encryption clampdown - Ars Technica UK
Encryption is for ‘Real People’ – Human Rights Watch
WhatsApp and Facebook messenger icons are seen on an iPhone in Manchester , Britain March 27, 2017.
In a recent op-ed, United Kingdom Home Secretary Amber Rudd argued strong encryption was thwarting the governments ability to monitor terrorists and criminals. Rudd expressed skepticism about the need for end-to-end encryption, reasoning that real people dont prioritize security in their technology. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? she wrote.
The answer is simple: I do, along with broad swaths of the human rights movement and many other people around the world.
Human Rights Watch defends the rights of people in 90 countries worldwide, spotlighting abuses and bringing perpetrators to justice. We rely heavily on networks of local NGO partners, witnesses, and victims, often located in closed societies where surveillance is pervasive. End-to-end encryption built into apps like WhatsApp shields our communications with these networks from abusive regimes and is a critical tool for ensuring we do not put contacts at risk of reprisal. Simply put, if we cant guarantee the security of our communications, we cant do our work. For that reason, every guide on digital security, including one previously funded by the UK, recommends the use of encrypted apps.
Who else uses end-to-end encryption? The list is long. Peaceful pro-democracy and reform activists in places like Hong Kong, Turkey, Central Africa, and across the Middle East. LGBT people living in countries where their sexual orientation is criminalized. Whistleblowers who reveal governmental or corporate malfeasance. Journalists everywhere trying to protect their sources.
Add to that list diplomats and government officials, including some in the UK parliament and Foreign Office. Or doctors, lawyers, and business people discussing sensitive and confidential information.
However, the home secretarys question itself indicates a fundamental misunderstanding of modern cybersecurity threats and the harms of undermining encryption. It doesnt matter whether WhatsApps 1.2 billion users in 180 countries are using the app out of convenience or concern for security. End-to-end encryption protects all of them students, pensioners, consumers, ordinary tax-paying citizens from cybercriminals and identify thieves. As information security experts, former Five Eyes intelligence officials, and even Europol have warned, any attempt to enable surveillance by compromising encryption will broadly undermine cybersecurity for all users. And the bad guys will simply find other encrypted alternatives that are made outside the UK and not subject to its laws.
The good news: Rudd said the UK government has no intention of banning end-to-end encryption. This is a welcome statement as the government continues to interpret the 2016 Investigatory Powers Act, which contains provisions requiring Internet companies to take undefined practicable steps to provide data in unencrypted form.
But the home secretary then pivots to suggest that tech companies should give them access to unencrypted information anyway by working with governments through confidential conversations. What Rudd ultimately seeks is unclear. By definition, if communications are encrypted end-to-end, companies cannot access them.
Regardless, these conversations cannot happen out of public sight. The real people who make up the public have a right to know if the government has subverted the security of the tools many rely on every day.
Follow this link:
Encryption is for 'Real People' - Human Rights Watch
We don’t want to ban encryption, but our inability to see what terrorists are plotting undermines our security – Telegraph.co.uk
Awful terror attacks this year have confirmed again how terrorists use internet platforms to spread their vile ideology, and to inspire and to plan their acts of violence.
Nearly every plot we uncover has a digital element to it. Go online and you will find your own do-it-yourself jihad at the click of a mouse. The tentacles of Daesh (Isil) recruiters in Syria reach back to the laptops in the bedrooms of boys and increasingly girls in our towns and cities up and down the country. The purveyors of far-Right extremism pump out their brand of hate across the globe, without ever leaving home.
The scale of what is happening cannot be downplayed. Before he mowed down the innocents on Westminster Bridge and stabbed Pc Keith Palmer, Khalid Masood is thought to have watched extremist videos. Daesh claim to have created 11,000 new social media accounts in May alone. Our analysis shows that three-quarters...
Continued here:
We don't want to ban encryption, but our inability to see what terrorists are plotting undermines our security - Telegraph.co.uk
Telegram messaging app strikes deal with Indonesia on encryption – Digital Trends
Aljazeera.com | Telegram messaging app strikes deal with Indonesia on encryption Digital Trends End-to-end encryption used to be the domain of particular messaging apps built with it in mind, like Signal and Telegram. Eventually, the feature made its way to more mainstream-focused apps, like WhatsApp and Allo. Although regular users can now enjoy ... Indonesia lifts threat to ban encrypted app Telegram Indonesia to lift ban on Telegram app |
See more here:
Telegram messaging app strikes deal with Indonesia on encryption - Digital Trends
Real people don’t need encryption – Fudzilla
Tory minister thinks it is not for the prols who want to be spied on
UK home secretary Amber Rudd has called on messaging apps like WhatsApp to ditch end-to-end encryption, arguing that it aids terrorists.
Rudd said technology companies were not doing enough to beat "the enemy" on the internet.
Encryption tools used by messaging apps had become a "problem", she added. Rudd is meeting with representatives from Google, Facebook, Twitter, Microsoft and others at a counter-terrorism forum in San Francisco. Tuesday's summit is the first gathering of the Global Internet Forum to Counter Terrorism, an organisation set up by the major companies in the wake of recent terror attacks.
In a joint statement, the companies taking part said they were co-operating to "substantially disrupt terrorists' ability to use the internet in furthering their causes, while also respecting human rights."
In an op-ed, she described a group of people she called real people. Real people apparently prefer ease of use and a multitude of features to perfect, unbreakable security. Real people dont use WhatsApp because it is end-to-end encrypted but because it is an incredibly user-friendly and cheap way of staying in touch with friends and family.
She claimed even companies were constantly making trade-offs between security and 'usability,' so why should real people have encryption.
As the private school educated daughter of a stock broker who was once hired as an aristocracy co-ordinator for the movie business and director of two Bahamas based asset management companies, Rudd would know a lot about what real people need.
Read this article:
Real people don't need encryption - Fudzilla
Ex-NSA boss questions encrypted message access laws proposed by Malcolm Turnbull – ABC Online
Updated August 02, 2017 09:02:09
The Federal Government's bid to force tech companies to reveal terrorists' secret conversations could be unachievable, according to the former deputy director of the US National Security Agency (NSA).
Chris Inglis had a 28-year career with the NSA and now advises private companies on how to detect Edward Snowden-style leakers within their ranks.
He told the ABC the Turnbull Government's bid to access encrypted messages sent by terrorists and other criminals is to be admired, but the technology may prove problematic.
"I don't know how feasible it is to achieve the kind of access the Government might want to have under the rule of law, the technology is tough to get exactly right," Mr Inglis told the ABC.
"But the Government is honour-bound to try to pursue both the defence of individual rights and collective security."
Encrypted messages affect close to 90 per cent of ASIO's priority cases and the laws would be modelled on Britain's Investigative Powers Act, which obliges companies to cooperate.
Technology experts, like adjunct professor at the Centre for Internet Safety Nigel Phair, have questioned how these laws would really work.
"From a technical perspective we are looking at very high-end computing power that makes it really, really difficult to decrypt a message on the fly, it's just not a simple process," he said.
Facebook has already indicated it will resist the Government's laws, saying weakening encryption for intelligence agencies would mean weakening it for everyone.
"Because of the way end-to-end encryption works, we can't read the contents of individual encrypted messages," a spokesman said.
But Mr Inglis said technology companies would not need to create a so-called backdoor to messages, but rather allow intelligence agencies to exploit vulnerabilities.
The NSA was criticised in May after it was revealed it knew about a vulnerability in Microsoft's system, but exploited it rather than reporting it to the company.
"Here's the dirty little secret: most of these devices already have what might be technically described as a backdoor their update mechanisms, their patch mechanisms," he said.
"My read on what you are trying to do is to put that issue on the table and say, 'we are not going to create backdoors, but we are going to try and use the capabilities that already exist'."
Mr Inglis said the Australian Government was pushing for legal powers the US Government had not called for.
"We have not had as rich a debate as what I sense is going on in Australia," he said.
"The Government by and large has not stepped in and directed that we are either going to seek a solution, we are still trying to find a voluntary way forward."
When Prime Minister Malcolm Turnbull announced the legislation, he noted strong libertarian tendencies of US-based technology companies.
Mr Inglis said Australia was "in the middle of the pack" when it came to cyber security planning.
"You are currently working through how to balance individual privacy the defence of liberty as well as we would say in the states and the pursuit of collective security," he said.
"No-one is exempt from the threats that are traversing across the cyber space at this moment in time."
Topics:science-and-technology,defence-and-national-security,security-intelligence,information-and-communication,turnbull-malcolm,government-and-politics,australia,united-states
First posted August 01, 2017 04:44:23
Read more:
Ex-NSA boss questions encrypted message access laws proposed by Malcolm Turnbull - ABC Online
iStorage diskAshur2 1TB PIN-protected encrypted external hard drive [Review] – BetaNews
It's hard -- for me at least -- to get too excited about hard drives. They get bigger, they get faster, and that's about it. But the iStorage diskAshur2 is a little different. This is a 1TB USB 3.1 external hard drive with a twist.
It offers hardware-level AES-XTS 256-bit encryption -- so no software is needed -- secured with PIN authentication. As you can see from the photo, there's a PIN pad built into the drive for easy locking and unlocking, and it's compatible with Windows, macOS and Linux ("it will work on any device with a USB port!"). We've already look at the diskAshur Pro 2, but this diskAshur2drive is nearly 20 percent cheaper.
The primary difference between the Pro drive and this one is the form of encryption that's used. While the diskAshur Pro 2 is "designed to be certified to" FIPS 140-2 Level 3, NCSC CPA, Common Criteria and NLNCSA, in the case of the diskAshur2, it's the lesser, older FIPS PUB 197 validation that's in place. In both instance, however, there's AES-XTS 256-bit hardware encryption protecting data which should be more than enough for most circumstances.
FIPS 140-2 Level 3 means that the diskAshur Pro 2's circuit board has a tamper-proof design, but there are still physical protection measures in place with the diskAshur2 for added peace of mind. The protection comes from the built in EDGE (Enhanced Dual Generating Encryption) Technology which protects from "external tamper, bypass laser attacks and fault injections and incorporates active-shield violation technology." There's also security against unauthorized firmware updates, and the onboard processor "reacts to all forms of automated hacking attempts by entering the deadlock frozen state where the device can only restart through a 'Power On' reset procedure."
In short, it's secure. But what's it like to use?
In a word, great. But you're probably looking for a little more detail than that...
The iStorage diskAshur2 is designed with travelling in mind. It's pretty light at 216g, measures a pocketable 124 x 84 x 19 mm and comes with a hand carry case (the 3TB, 4TB and 5TB models are slightly heavier and larger at 325g and 124 x 84 x 27mm). There's a (short) built in USB 3.1 cable so you don't have to remember to carry one around with you, and the drive is available in a choice of four colors -- Fiery Red, Phantom Black, Racing Green and Ocean Blue. It's IP56 rated for water and dust resistance.
What's great about the drive is the incredible ease of use. Encryption usually means having to fiddle around with software, but that's not the case here; everything is built into the drive. The drive is, by default, encrypted. Plug it in, and it remains inaccessible -- and invisible to the computer -- until you enter the necessary PIN and hit the unlock button. From this point, you can manually lock the drive at any time. You can also unplug the drive and it will be automatically locked, or auto-locking will kick in after a predetermined period of inactivity. The lack of software means that it's easy to take the drive from one computer to another, regardless of the operating system it is using.
This video from iStorage gives a good introduction to the device range:
Unlocking the drive is incredibly fast -- much faster than if computer-based software was involved. In terms of performance, this is a 5,400 RPM drive offering read speed of up to 148 MBps and write speeds of up to 140 MBps -- far from earth-shattering, but this is a drive that focuses on security, not performance.
As with the diskAshur Pro 2, brute force protection means that the drive will delete its encryption key (rendering data completely inaccessible) after fifteen consecutive incorrect PINs are entered. You can create a PIN of up to 15 digits, so it should be fairly easy to create a non-guessable PIN. For those who need it, there is also the option of using a Self-Destruct PIN to wipe out the encryption key so data cannot be accessed under any circumstances. For peace of mind, there is a two-year warranty covering the device.
For the vast majority of people, AES-XTS 256-bit hardware encryption and conforming to FIPS PUB 197 should be more than enough. If the relatively high price of the diskAshur Pro 2 was off-putting to you, the diskAshur2 gives you a way to get very much the same product at a pleasingly lower price.
You can find out more and buy a drive direct from iStorage. The 1TB model is priced at 219 (262).
Here is the original post:
iStorage diskAshur2 1TB PIN-protected encrypted external hard drive [Review] - BetaNews
Top 5: Risks of encryption backdoors – TechRepublic
There's lots of talk of mandating a backdoor to encrypted services so that law enforcement can use them under warrants. The need is real and there are some reasonable compromises that can keep all our data safe and still help catch bad guys.
But a backdoor for the good guys is potentially a backdoor for the bad guys too. Here are five reasons a backdoor in encryption is a bad idea:
1. Strong encryption protects dissidents and democracy advocates in repressive regimes as well. Putting in backdoors limits their options and weakens their protections.
2. The backdoor goes beyond the phone. IoT devices are becoming more and more frequent, meaning any device with a connection could have a backdoor. If someone gets the keys or figures out how the backdoor works, they could get inside lights, door locks and more.
3. Dual key systems are inherently less secure. Having one key that you the user are the only with access to is the only way to make sure that you are the only weak point. Having dual keys stored in a government agency gives attackers more targets for social engineering and other attacks.
SEE: Ethical Password Hacking and Security (TechRepublic Academy)
4. Criminals can choose not to use the services with backdoors. Open source encryption tools are available that nobody controls, and large enough organizations can create their own. So you're weakening security for law abiding citizens more than criminals.
5. You can't make math illegal. The solution to our last point is to make any encryption without a backdoor against the law. Except that encryption is generally just multiplying two prime numbers. It would be hard to make that against the law.
Now there is more tech companies could do to assist law enforcement. Creative solutions being proposed include pushing updates that do things like say, surreptitiously turn on logging in an app like WhatsApp for a suspect who is the target of a court approved warrant.
That may or may not be the right answer of course but that's where productive discussion can be had. The kind of things that lessen a criminal's security without breaking encryption for everyone.
Also see:
Here is the original post:
Top 5: Risks of encryption backdoors - TechRepublic
Facebook’s Sheryl Sandberg: WhatsApp metadata informs governments about terrorist activity in spite of encryption – CNBC
"The goal for governments is to get as much information as possible. And so when there are message services like WhatsApp that are encrypted, the message itself is encrypted but the metadata is not, meaning that you send me a message, we don't know what that message says but we know you contacted me," she said.
"If people move off those encrypted services to go to encrypted services in countries that won't share the metadata, the government actually has less information, not more. And so as technology evolves these are complicated conversations, we are in close communication working through the issues all around the world."
Sandberg recently met Rudd and told "Desert Island Discs" that Facebook and the U.K. government are "very aligned in our goals".
"We want to make sure all of us do our part to stop terrorism and so our Facebook policies are very clear. There's absolutely no place for terrorism, hate, calls for violence of any kind. Our goal is to not just pull it off Facebook but to use artificial intelligence and technology to get it before it's even uploaded.
"We are working in collaboration with the other tech companies now, so if a video by a terrorist is uploaded to any of our platforms, we are able to fingerprint it for all the others so that they can't move from platform to platform."
Originally posted here:
Facebook's Sheryl Sandberg: WhatsApp metadata informs governments about terrorist activity in spite of encryption - CNBC