Rapid7 encouraged owners of its Nexpose appliancesthis week to apply an update to their systems to tweak how SSH is configured by default.

The company warned on Wednesday the devices were shipped with an SSH configuration that could have let some obsolete KEX, encryption and MAC algorithms be used for key exchange.

Nexpose devices are preconfigured servers, deployed in server racks, designed to help users gauge vulnerabilities, manage vulnerability data, and limit threat exposure. All physical Nexpose appliances are affected per a disclosure by Samuel Huckins, a program manager with the company, published on Wednesday.

Disclosure on CVE-2017-5243: Nexpose hardware appliance SSH enabled obsolete algorithms https://t.co/DHI7uLJ5yj (Thanks to @LiamMSomerville)

Rapid7 (@rapid7) May 31, 2017

Liam Somerville, a researcher based in Scotland, discovered the vulnerability (CVE-2017-5243) and reported it to the company three weeks ago.

Nothing needs to be downloaded to resolve the issue, but a file does need to edited, Rapid7 said. According to Huckins, to fix the vulnerability a user with root access has to edit /etc/ssh/sshd_config in the appliance to ensure only modern ciphers, key exchange, and MAC algorithms are accepted. This should lessen the likelihoodof any attacks involving authentication.

Prior to the fix, weak and out of date encryption algorithms such asAES192-CBC, Blowfish-CBC, and 3DES-CBC, and KEX algorithms such asdiffie-hellman-group-exchange-sha1, could have been enabled.

This change should not impact connections from Nexpose instances to the physical appliance. The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms, Huckins wrote.

According to Tod Beardsley, Research Director at Rapid7, the vulnerability could have let an attacker in a privileges position on the network force an algorithm downgrade between an SSH client and Nexpose during authentication.

The privileged position is crucial to making the attack a success, since its a man-in-the-middle (MitM) attack first, the attacker needs to be able to insert himself between the client and server, which usually means the attacker is on the same network as either endpoint, or has compromised an ISP along the way (in which case you have bigger problems), Beardsley told Threatpost late Friday, Once there, the attacker can pose as both sides of the initial SSH handshake, and rewrite the handshake to request one of these older, obsolete algorithms. Once thats done, the attacker then records the session, and then can decrypt the session offline.

Beardsley says that removing server-side support for the algorithms makes the aforementioned kind of attack impractical and that overall, the actual risk of exploitation is fairly low.

These appliances dont tend to be exposed on public networks, so attackers need to be on the inside to begin with, Beardsley said, The whole point of SSH is to be resistant to this kind of session meddling, even in the face of an attacker whos in the right place and has the right expertise and resources to mount this sort attack. By strengthening whats available on the server, we can help keep that promise of confidentiality.

*This article was updated at 4:30 p.m. EST to include comments from Tod Beardsley of Rapid7.

Continued here:
SSH Configuration on Nexpose Servers Allowed Weak Encryption Algorithms - Threatpost

To reduce therisk posed byhackers, insider threats, and other malicious attacks, your organization must utilize encryption to protect sensitive data wherever it is found across your on-premises, virtual, public cloud, and hybrid environments. This includes data at rest in application and web servers, file servers, databases, and network attached storage, as well as data in motion across your network.

As your corporate data assets grow, data-at-rest encryption is a critical last line of defense. Encryption applies security and access controls directly to your sensitive structured and unstructured data - wherever it resides.

In addition to protecting data at rest, enterprises must also address threats to sensitive data as it traverses networks. Data-in-motion encryption ensures your data, video, voice and even metadata is protected from eavesdropping, surveillance, and overt and covert interception. With Gemalto's comprehensive portfolio of SafeNet data-at-rest and data-in-motion encryption solutions, you can secure all types of sensitive data across today's distributed enterprise.

Gemalto's portfolio of data-at-rest encryption solutions delivers transparent, efficient, and unmatched data protection at all levels of the enterprise data stack, including the application, database (column or file), file system, full disk (virtual machine), and network attached storage levels. In addition to working across on-premises, virtual, and cloud environments, these solutions are deployed with the SafeNet KeySecure enterprise key manager for centralized key and policy management .

Learn More About Data-at-Rest Encryption

A powerful safeguard for data in motion, SafeNet High Speed Encryptors deliver proven and certified Layer 2 encryption capabilities that meet secure network performance demands for real time, low latency and near zero overhead to provide security without compromise .

Learn More About SafeNet High Speed Encryptors

Without a comprehensive data protection platform that includes strong encryption to secure and control access to your high-value information, and centralized enterprise key management to secure, manage, and prove ownership of your keys, your sensitive data is at risk. Gemalto's encryption solutions enable your organization to meet your immediate data protection and business needs now, while investing in a platform that provides robust security, a growing ecosystem, and the scalability you need to build a trusted framework for the future.

With Gemalto's encryption solutions, you can meet a wide variety of use cases, including:

Read the original:
Enterprise Encryption Solutions - Data at Rest and Data in ...

This post was originally published on the ParagonIE blog and reposted here with their permission.

We [ParagonIE] get asked the same question a lot (or some remix of it).

This question shows up from time to time in open source encryption libraries bug trackers. This was one of the weird problems covered in my talk at B-Sides Orlando (titled Building Defensible Solutions to Weird Problems), and weve previously dedicated a small section to it in one of our white papers.

You know how to search database fields, but the question is, How do we securely encrypt database fields but still use these fields in search queries?

Our secure solution is rather straightforward, but the path between most teams asking that question and discovering our straightforward solution is fraught with peril: bad designs, academic research projects, misleading marketing, and poor threat modeling.

If youre in a hurry, feel free to skip ahead to the solution.

Lets start with a simple scenario (which might be particularly relevant for a lot of local government or health care applications):

Lets first explore the flaws with the obvious answers to this problem.

The most obvious answer to most teams (particularly teams that dont have security or cryptography experts) would be to do something like this:

In the above snippet, the same plaintext always produces the same ciphertext when encrypted with the same key. But more concerning with ECB mode is that every 16-byte chunk is encrypted separately, which can have some extremely unfortunate consequences.

Formally, these constructions are not semantically secure: If you encrypt a large message, you will see blocks repeat in the ciphertext.

In order to be secure, encryption must be indistinguishable from random noise to anyone that does not hold the decryption key. Insecure modes include ECB mode and CBC mode with a static (or empty) IV.

You want non-deterministic encryption, which means each message uses a unique nonce or initialization vector that never repeats for a given key.

There is a lot of academic research going into such topics as homomorphic, order-revealing, and order-preserving encryption techniques.

As interesting as this work is, the current designs are nowhere near secure enough to use in a production environment.

For example, order-revealing encryption leaks enough data to infer the plaintext.

Homomorphic encryption schemes are often repackaging vulnerabilities (practical chosen-ciphertext attacks) as features.

As weve covered in a previous blog post, when it comes to real-world cryptography, confidentiality without integrity is the same as no confidentiality. What happens if an attacker gains access to the database, alters ciphertexts, and studies the behavior of the application upon decryption?

Theres potential for ongoing cryptography research to one day produce an innovative encryption design that doesnt undo decades of research into safe cryptography primitives and cryptographic protocol designs. However, were not there yet, and you dont need to invest into a needlessly complicated research prototype to solve the problem.

I dont expect most engineers to arrive at this solution without a trace of sarcasm. The bad idea here is, because you need secure encryption (see below), your only recourse is to query every ciphertext in the database and then iterate through them, decrypting them one-by-one and performing your search operation in the application code.

If you go down this route, you will open your application to denial of service attacks. It will be slow for your legitimate users. This is a cynics answer, and you can do much better than that, as well demonstrate below.

Lets start by avoiding all the problems outlined in the insecure/ill-advised section in one fell swoop: All ciphertexts will be the result of an authenticated encryption scheme, preferably with large nonces (generated from a secure random number generator).

With an authenticated encryption scheme, ciphertexts are non-deterministic (same message and key, but different nonce, yields a different ciphertext) and protected by an authentication tag. Some suitable options include: XSalsa20-Poly1305, XChacha20-Poly1305, and (assuming its not broken before CAESAR concludes) NORX64-4-1. If youre using NaCl or libsodium, you can just use crypto_secretbox here.

Consequently, our ciphertexts are indistinguishable from random noise, and protected against chosen-ciphertext attacks. Thats how secure, boring encryption ought to be.

However, this presents an immediate challenge: We cant just encrypt arbitrary messages and query the database for matching ciphertexts. Fortunately, there is a clever workaround.

Before you begin, make sure that encryption is actually making your data safer. It is important to emphasize that encrypted storage isnt the solution to securing a CRUD app thats vulnerable to SQL injection. Solving the actual problem (i.e. preventing the SQL injection) is the only way to go.

If encryption is a suitable security control to implement, this implies that the cryptographic keys used to encrypt/decrypt data are not accessible to the database software. In most cases, it makes sense to keep the application server and database server on separate hardware.

Possible use-case: Storing social security numbers, but still being able to query them.

In order to store encrypted information and still use the plaintext in SELECT queries, were going to follow a strategy we call blind indexing. The general idea is to store a keyed hash (e.g. HMAC) of the plaintext in a separate column. It is important that the blind index key be distinct from the encryption key and unknown to the database server.

For very sensitive information, instead of a simple HMAC, you will want to use a key-stretching algorithm (PBKDF2-SHA256, scrypt, Argon2) with the key acting as a static salt, to slow down attempts at enumeration. We arent worried about offline brute-force attacks in either case, unless an attacker can obtain the key (which must not stored in the database).

So if your table schema looks like this (in PostgreSQL flavor):

You would store the encrypted value in humans.ssn. A blind index of the plaintext SSN would go into humans.ssn_bidx. A naive implementation might look like this:

A more comprehensive proof-of-concept is included in the supplemental material for my B-Sides Orlando 2017 talk. Its released under the Creative Commons CC0 license, which for most people means the same thing as public domain.

Depending on your exact threat model, this solution leaves two questions that must be answered before it can be adopted:

Given our example above, assuming your encryption key and your blind index key are separate, both keys are stored in the webserver, and the database server doesnt have any way of obtaining these keys, then any attacker that only compromises the database server (but not the web server) will only be able to learn if several rows share a social security number, but not what the shared SSN is. This duplicate entry leak is necessary in order for indexing to be possible, which in turn allows fast SELECT queries from a user-provided value.

Furthermore, if an attacker is capable of both observing/changing plaintexts as a normal user of the application while observing the blind indices stored in the database, they can leverage this into a chosen-plaintext attack, where they iterate every possible value as a user and then correlate with the resultant blind index value. This is more practical in the HMAC scenario than in the e.g. Argon2 scenario. For high-entropy or low-sensitivity values (not SSNs), the physics of brute force can be on our side.

A much more practical attack for such a criminal would be to substitute values from one row to another then access the application normally, which will reveal the plaintext unless a distinct per-row key was employed (e.g. hash_hmac('sha256', $rowID, $masterKey, true) could even be an effective mitigation here, although others would be preferable). The best defense here is to use an AEAD mode (passing the primary key as additional associated data) so that the ciphertexts are tied to a particular database row. (This will not prevent attackers from deleting data, which is a much bigger challenge.)

Compared to the amount of information leaked by other solutions, most applications threat models should find this to be an acceptable trade-off. As long as youre using authenticated encryption for encryption, and either HMAC (for blind indexing non-sensitive data) or a password hashing algorithm (for blind indexing sensitive data), its easy to reason about the security of your application.

However, it does have one very serious limitation: It only works for exact matches. If two strings differ in a meaningless way but will always produce a different cryptographic hash, then searching for one will never yield the other. If you need to do more advanced queries, but still want to keep your decryption keys and plaintext values out of the hands of the database server, were going to have to get creative.

It is also worth noting that, while HMAC/Argon2 can prevent attackers that do not possess the key from learning the plaintext values of what is stored in the database, it might reveal metadata (e.g. two seemingly-unrelated people share a street address) about the real world.

Possible use-case: Encrypting peoples legal names, and being able to search with only partial matches.

Lets build on the previous section, where we built a blind index that allows you to query the database for exact matches.

This time, instead of adding columns to the existing table, were going to store extra index values into a join table.

The reason for this change is to normalize our data structures. You can get by with just adding columns to the existing table, but its likely to get messy.

The next change is that were going to store a separate, distinct blind index per column for every different kind of query we need (each with its own key). For example:

Every index needs to have a distinct key, and great pains should be taken to prevent blind indices of subsets of the plaintext from leaking real plaintext values to a criminal with a knack for crossword puzzles. Only create indexes for serious business needs, and log access to these parts of your application aggressively.

Thus far, all of the design propositions have been in favor of allowing developers to write carefully considered SELECT queries, while minimizing the number of times the decryption subroutine is invoked. Generally, that is where the train stops and most peoples goals have been met.

However, there are situations where a mild performance hit in search queries is acceptable if it means saving a lot of disk space.

The trick here is simple: Truncate your blind indexes to e.g. 16, 32, or 64 bits, and treat them as a Bloom filter:

It may also be worth converting these values from a string to an integer, if your database server will end up storing it more efficiently.

I hope Ive adequately demonstrated that it is not only possible to build a system that uses secure encryption while allowing fast queries (with minimal information leakage against very privileged attackers), but that its possible to build such a system simply, out of the components provided by modern cryptography libraries with very little glue.

If youre interested in implementing encrypted database storage into your software, wed love to provide you and your company with our consulting services. Contact ParagonIE if youre interested.

Go here to see the original:
How to Search on Securely Encrypted Database Fields - SitePoint

BitLocker requires a TPM version 1.2 or later for a standard configuration.

Most modern business-class PCs that were designed for Windows 10 support BitLocker Drive Encryption. With BitLocker encryption turned on for the system drive, an attacker who steals your device but doesn't have your sign-in credentials is completely locked out of your data.

The requirements for BitLocker Drive Encryption are fairly simple. Your hardware must include a Trusted Platform Module (TPM) chip, version 1.2 or later, and you must be running a business edition of Windows 10: Pro, Enterprise, or Education. (It's possible to enable BitLocker without a TPM, using a USB flash drive to store the encryption key, but I don't recommend it.)

To see whether your PC has a TPM chip (and, if so, which version), follow these steps:

If that seems like too much work, just run the BitLocker Encryption Wizard, which includes its own compatibility checker.

Open File Explorer, click This PC, right-click the icon for your system drive (usually drive C), and then click Turn on BitLocker. If your system doesn't meet the specifications, you'll get an error message. If everything's clear, you can follow the wizard's prompts to save your recovery key and begin the encryption process.

Previous tip: Create direct shortcuts to shared network folders

Next week: Another Windows 10 tip from Ed Bott

Read the original here:
Windows 10 tip: Use BitLocker to encrypt your system drive - ZDNet

The EU's General Data Protection Regulation officially goes into effect in less than a year, but enterprises will need to know more than the impending deadline and potential monetary penalties to navigate the complexities of GDPR compliance.

The EU GDPR will be enforced starting on May 25, 2018, and noncompliance for protecting personal information of EU residents could result in financial penalties as high as 4% of a company's annual revenue or 20 million euros -- whichever is greater. According to some experts, the most important thing to remember about becoming EU GDPR-compliant is the data being protected under the new regulation represents personal information about actual human beings.

"All too often, people view personal data as just another piece of information that they are working with -- a commodity," said Elizabeth Maxwell, mainframe technical director at Compuware Corp., a mainframe software company headquartered in Detroit. "However, this data represents a real person and should therefore be respected. They need to look at data and develop some empathy for the person to whom it belongs. How would they feel if their data was misused, leading to distress, fraud or reputational damage?"

Patrick McGrath, director of solutions marketing at Commvault, a data protection company headquartered in Tinton Falls, N.J., agreed, saying companies need to protect personal data regardless of whether it's in their data center or a third-party cloud service.

"Even if breached data was not stored on premises under your direct control, it is still your responsibility to determine whether or not personal information could have been compromised, and if so, to enact notification procedures," McGrath said. "They are your customers, prospects, donors and employees."

Jason Rose, senior vice president of marketing at Gigya Inc., a customer identity and access management company headquartered in Mountain View, Calif., suggested EU GDPR may foster relationships both inside and outside the organization.

"GDPR compliance isn't possible when teams are working in silos. Security professionals need to link arms with marketing, IT and legal because GDPR's requirement for 'privacy by design' demands new approaches to customer relationships," Rose said. "This includes giving customers complete control over their data, along with clear and concise terms of service that explain how customer data will be used."

Complying with a new set of data privacy regulations -- especially when a company already faces existing privacy regulations, such as HIPAA, Sarbanes-Oxley or the Payment Card Industry Data Security Standard -- may seem like a huge burden, but Lacy Gruen, director at RES Software, a digital workspace company headquartered in Radnor, Pa., said it should be considered an opportunity.

"Complying with the regulation is in fact a high-ROI opportunity," Gruen said. "Once businesses get their data protection strategy in order, they'll see that GDPR compliance is a piece of investment that can change the way their organization stores and handles user data for the better. When an organization knows precisely where their data is located, why it's there and who has access to it, that will not only improve analytics-driven decision-making, but will also strengthen defense against data breaches and other cyber-risks."

Noting that companies facing GDPR compliance are allocating big budgets for security, Gruen said it's "a great time to streamline processes and policies for improved efficiency, so IT resources can be redirected to more strategic functions and projects. Regulations change and new legislation continues to pop up, but if an organization takes the right data protection measures now and gets the right tools in place, the benefits will extend well beyond just compliance with GDPR."

Not all experts were as optimistic about the effects of the EU GDPR, though.

Richard Stiennon, chief strategy officer at Blancco Technology Group, a data security company headquartered in Alpharetta, Ga., worried about the possibility that GDPR compliance could prove to be an obstacle for entering or remaining in European markets for some companies.

"Will the compliance requirements be so onerous that companies, especially technology vendors, ban EU data subjects from their services?" Stiennon said. "Imagine the latest and greatest new thing, like a Skype or Angry Birds app, being developed by a couple of engineers in their garage. They may grow to millions of users in a short time frame while not being in a position to employ a data protection officer, let alone fulfill all the other requirements. So, they may block downloads or activations in the EU, thus restricting access to the latest and greatest thing. Even well-established tech companies could decide that doing business in the EU is not worth the hassle and expense."

According to several experts, encryption will be an overlooked but key part of preparing for and complying with GDPR.

"Encryption can be your 'get out of jail free' card," said Nigel Hawthorn, EMEA marketing director at Skyhigh Networks, a cloud security company headquartered in Campbell, Calif., both because "it is a clear investment in a technology to aim to reduce the data loss risk (and any fines are based on the investment in risk reduction)," but also because it eases the requirement to inform data subjects -- people -- whose data has been compromised if that data has been encrypted.

Because GDPR requires that companies incorporate data protection by design and by default, Hawthorn said "internal software engineering teams need to ensure new applications and systems are designed with data protection in mind from the outset. Even though development teams are always looking to deliver fast, data protection cannot be ignored."

Ameesh Divatia, CEO of Baffle Inc., a cloud-centric encryption company based in Santa Clara, Calif., said the first step for enterprises is to find ways to encrypt data that is "in use" at the application layer; the second step is to "minimize or eliminate access to sensitive data and encryption keys by DBAs [database administrators] and network and storage administrators by allowing all database queries to be executed on encrypted data without increased complexity or significant impacts to performance."

McGrath advised organizations to avoid exposing themselves to GDPR penalties by taking care to avoid keeping more personal data than is necessary for their business and legal needs.

"As a best practice, we encourage organizations to use archiving policies that identify instances of personal data, delete, encrypt and/or move data to more secure locations that are fully tracked," McGrath said. "While education is helpful, automation is key. With the rapid adoption of cloud and SaaS [software-as-a-service] application partners, data is becoming further distributed and it demands proper data protection coverage."

With GDPR, businesses will be focusing on securing a specific set of data -- EU personal information. While this is a great start, the danger is that they are focusing on this small set of data when they have problems across their environment. Brian Veccitechnical evangelist at Varonis

Data traceability will also be critical for EU GDPR compliance.

"Security professionals should enforce in their organization true data traceability across data workflows," said Florian Douetteau, CEO of Dataiku, a data science software company headquartered in New York. "When manipulating derived customer data, each column should contain some sensitivity tagging, and each company should evaluate the risk associated to a piece of data whether it is raw, anonymized or aggregated. In order to achieve this, each pipeline transforming the data must transfer and maintain the metadata associated to those risks."

Brian Vecci, technical evangelist at insider threat protection vendor Varonis, based in New York, suggested companies should look beyond the bare minimum requirements for protecting data under EU GDPR and consider the bigger picture.

"With GDPR, businesses will be focusing on securing a specific set of data -- EU personal information. While this is a great start, the danger is that they are focusing on this small set of data when they have problems across their environment," Vecci said. "We saw with the recent WannaCry outbreak that it's not just sensitive files that can do a large amount of damage if attacked or exposed, it's all files. GDPR legislates a lot of common sense data security, but personal data creeps into all sorts of files, and even non-GDPR forms of data need just as much protection."

Drew Nielsen, chief trust officer at cloud data protection provider Druva, based in Sunnyvale, Calif., agreed about the need to track down all the data.

"The most overlooked aspect of GDPR that no one is focusing on is to understand an organization's data attack surface," Nielsen said. "Since GDPR is all about the data, if an organization does not have a solid handle on all the places that structured and unstructured information is stored -- which includes endpoints, servers, SaaS-based cloud applications and databases -- there is almost zero chance of complying with GDPR."

Read about dealing with data under GDPR

Learn more tips for GDPR compliance

Browse the essential guide to GDPR for more about compliance

More here:
EU GDPR compliance puts focus on data tracking, encryption - TechTarget