Joe Pindar, director of product strategy at Gemaltos Chief Technology Office,discusses why encryption measures are growing in importance for todays businesses

Last year, the UK suffered more data breaches than any previous year. In 2016, 54,468,603 records were compromised a 475% increase over the 9,478,730 compromised in 2015. These events have helped raise awareness around the potential risks to our data and businesses are now realising the criticality of implementing effective security solutions.

Encryption is starting to gain particular prominence because of its ability to render breached data useless to anyone that is not authorised to access it.

When considering encryption, businesses must first understand what data they produce and which data is most valuable or sensitive, through conducting a data sweep. Only by understanding what data they have can businesses then seek to encrypt and protect it.

The key to businesses maintaining control over their encrypted data in an ever-more hybrid environment is thoroughly planning encryption key management strategies.

Consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong

Encryption keys are essential to unlock secured data and provide fundamental control over who has access to certain data making companies, and more importantly customers, the custodians of their own data. The best approach is to store encryption keys in specially designed hardware, to avoid them from being hacked. Otherwise, it is like fitting your house with the best security out there, and then leaving your key under the doormat for the burglar to find.

Businesses are not just risking a financial hit if they do not implement and manage the protection of their data properly, but a reputational one too. Customers, more than ever before, are starting to understand the risks associated with sharing and hosting information online. It may not come as a big shock, but consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong. Companies need to take note of this, because if something does go wrong, customers are likely to go elsewhere.

With the upcoming General Data Protection Regulation (GDPR), the true cost of a breach is still to be felt across Europe as businesses are currently not forced to reveal when they have been breached. As such, they still mostly maintain customer loyalty. While businesses should know that it is a case of when, not if, a breach occurs, GDPR should serve as a wake-up call. To keep that loyalty, they must show they are actively working to protect their customer data using techniques like encryption.

Currently, there is limited incentive to prioritise security, and a lack of accountability for the business

Encryption itself is very effective, but if you do not protect it and the encryption keys that unlock it, then it can easily be cracked by unauthorised individuals. To protect against this, businesses should also focus on who is authorized to access valuable and sensitive data.

The best approach is to use two-factor authentication, which requires the employee to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses.

Currently, there is limited incentive to prioritise security, and a lack of accountability for the business. Companies need to start taking security seriously and this means from the top down. GDPR is still to come into effect, but businesses need to start preparing now before it is too late and they are faced with a potential fine and damaged reputation.

Company boards should take a considered approach to security. It is not a question of the Chief Information Security Officer (CISO) saying no all the time, but rather implementing security protocols earlyso that it does not affect innovation and ensures the company adheres to the latest regulations.

Furthermore, by establishing a security mindset at the top of the company, it will filter down to the rest of the employees. Every business should know that its defence is only as secure as its weakest link.

More here:
Why encryption is a critical step towards GDPR compliance - The Stack

One tactic an international traveler can use is to buy a cheap second laptop, store the data they need in the cloud, and then access it once they get to the destination. They can then wipe the data before getting back on the plane for the return flight.

If that sounds too expensive or inconvenient, you can instead encrypt your laptop's hard drive. Full-disk encryption renders all of your devices software and data unreadable unless you enter a passphrase, which activates a key that unscrambles your files and gets your laptop up and running.

Simply setting a screen lock on your laptop offers a much weaker level of protection, one that can be circumvented by hackers. They can bypass the password by restarting the device with a different operating system on a USB stick, or simply by removing the hard drive from the device.

Once set, full-disk encryption works automatically, and any new data you save on your laptop will also be protected. And if someone physically removes the hard drive, it will be unreadable.

Full disk encryption is a sound practice, and not just for airline travel, Grossman says. It helps with any circumstance where the laptop is not physically well-protected, like in hotel rooms or in the trunk of a vehicle while youre at dinner after work."

Directions for encrypting both MacBook and Windows laptops are below. With either kind of computer, security pros warn users to use strong passwords. They say its best to take the human element out of choosing a passphrase as much as possible.

It's critical that the encryption password be randomly generated and not chosen by a human, says Joseph Bonneau, a post-doctoral researcher in the Applied Cryptography Group at Stanford University. He recommends that you use a minimum of six random words from a list such as one of several developed by the Electronic Frontier Foundation. That organization has directions for a low-tech, random way to generateyour passphrase. Essentially, though, the more words you use, the better.

Be sure to plan ahead. Depending on how much data you have stored, encrypting a laptop could take a few hours. So this isn't something you can do while waiting on the TSA line at the airport.

And finally, before checking your laptop with your luggage, youll want to power it down completely. Any time you work on your laptop, the hard drive is decryptedotherwise, you wouldn't be able to do anything. Simply putting your device in sleep mode will leave the hard drive decrypted. Shut it down properly and the hard drive will be protected again.

See the original post:
Flying to Europe? You Might Want to Encrypt Your Laptop First - ConsumerReports.org

Anyone now visiting their senator's website will see something new: a little green lock in their browser's address bar.

Last week the US Senate quietly began serving its entire domain -- including each of the 100 elected senators' websites -- over an encrypted HTTPS channel by default.

HTTPS isn't just reserved for banks and login pages anymore, and hasn't been for a long time. It's nowadays seen as a measure for sites taking their own security and the privacy of their visitors seriously.

The government has been on its own encryption binge for the past few years, trying to secure every page on every domain it has to ensure a standard level of security across the government domain space.

The logic is simple enough: Serving up each page through a secure and private connection ensures that every Senate page hasn't been intercepted or impersonated (which is easy to do) and modified by hackers -- or even intelligence agencies. It also protects the web address past the domain, in most cases preventing internet providers from knowing which individual pages a person visited.

You might wonder why everyone hasn't embraced it sooner. Encrypting web traffic used to be expensive, but the rise of free certificate services like Let's Encrypt has made it significantly cheaper to encrypt web pages.

Thats's the easy bit, because make no mistake -- switching from HTTP, where every byte travels the web without any encryption, to HTTPS is no small feat.

The project has taken over a year to complete, and has been a slow, tedious process of switching over each of the senator's sites incrementally to HTTPS by default. (A spokesperson for the Senate Sergeant at Arms, which headed the project, confirmed the timing but wouldn't comment further on the project.)

In order to switch over an entire site to HTTPS, every site element and component has to be served over the secure pipe. Given that the Senate domain has over a hundred individual senator's domains and committee sites, and many more for other sites and projects, amounting to millions of pages over many years, including some that are decades old -- it's not an overnight job.

But unlike the executive branch, which has all the help from the federal government to switch over to HTTPS, the legislative branch has been left mostly to its own devices.

The General Services Administration said it had no involvement in the Senate's switch. "In general, GSA supports increased use of HTTPS across public services, and actively supports the executive branch's efforts in this area," said a spokesperson.

In pushing ahead with its HTTPS project, the Senate leapfrogged the House with its own effort to encrypt its web pages. At the time of writing, every House lawmaker's website supports HTTPS, but only a little over half support HTTPS by default. (We asked the House's chief administrative officer for comment, and we'll update when we hear back.)

HTTPS by default is a good start, but there's more work to be done.

In January, the government announced it would not only strictly enforce HTTPS on each new government website but it would also preload its domains and subdomains directly into web browsers -- so that all browsers will always and by-default make a secure connection to a government website.

So far, plans have been made to preload executive branch websites, but it hasn't been ruled out as a possibility for Congress in the future.

Encryption remains a hot topic in Congress. It seems half of all lawmakers are for it, and half see it as a way for criminals and terrorists to get away with literal murder. In the past couple of years, we've seen several attempts by lawmakers to undermine the security protections that encryption offers, such as pushing for backdoors in existing encryption standards to make surveillance easier. Last year, in the wake of the San Bernardino terrorist attack, two senators pushed for their own anti-encryption bill that eventually failed.

That bill may be on deck to be reintroduced in the current session, sparking yet another protracted chapter in the ongoing crypto war.

Now that every senator's website offers encryption, remember that next time they bring out the pitchforks.

Read more:
Good news! The entire Senate just embraced web encryption - ZDNet

Tough nut to crack.

One of the more intriguing pearls in FBI Director James Comeys testimony before the Senate Judiciary Committee last week was his disclosure that the Bureau has been unable to penetrate the encryption on about half of the 6,000 cell phones seized in the course of various investigations between October and March. To Comey and the senators, this was plainly a problem. I will confess that my own feelings are more mixed.

Lets start at the top. Criminals and terrorists use cell phones. A lot. Those cell phones contain a trove of information: calls made and received, text messages, lists of contacts. But law enforcement is finding it harder and harder to penetrate the encryption that protects the privacy of ordinary users and bad guys alike.

Khalid Masood, who killed five people and injured 50 in a terror attack in London in March, used WhatsApp to send a message from his cell phone just before his rampage began. The appeal of WhatsApp is itsend-to-end encryption of whatever you send, encryption even the company cannot break. Initially, law enforcement worried publicly about being unable to read Masoods final message or discover the recipient. Some weeks later, the message was somehow retrieved. The means used have not been disclosed, but there has been speculation that the authorities never broke the encryption but instead somehow obtained Masoods password.

But WhatsApp itself -- the company is owned by Facebook -- has remained adamant that it will not install a backdoor allowing law enforcement agencies a way in. Were the company to yield on this point, its business model would collapse. The reason a billion people use the app is that they believe that nobody can eavesdrop on them.

To be sure, law enforcement has been complaining bitterly for some while now about its inability to break the encryption that is now almost a standard feature on much of social media and cell phones. Comey himself has argued for years that modern techniques for masking messages from unwanted readers has allowed terror groups to go dark. Law enforcement officials from around the world have demanded that tech companies build backdoors into their encryption software to enable authorities to gain access, provided a court issues a warrant. Privacy advocates are horrified.

Although I sympathize with the needs of law enforcement, I fear that my libertarian soul sides with the bad guys on this one.

By bad guys, I mean us -- people -- individuals -- who are not happy at the thought of governments snooping around our private lives. When the head of the FBI says to the tech companies, Please help us, he is in effect saying to ordinary users, Please trust us. And thats where the problem lies. Little in recent history -- or, for that matter, not-so-recent history -- offers any particular reason to believe that government officials, once granted a power, will use it sparingly.

Moreover, a warrant requirement offers little protection. The courts rarely say no, andrecent administrations, including those of PresidentDonald Trumps two predecessors, have found ways to get around judicial scrutiny. Nor has Trump himself given the impression that his use of such powers would be sparing. Buteven if we imagine a government run entirely by angels, we live at a time when intelligence agencies can hardly protect their own secrets, including their hacking tools. If the tech companies yield to official pressure and begin to build backdoors into their encryption, how long will it be until the details show up on WikiLeaks, and the actual methods are being bartered in various corners of the Dark Web?

Actually, the Dark Web is used these days by journalists, who try to evade the vast networks of official surveillance by offering sources the ability to remain anonymous while sending encrypted communications via SecureDrop. SecureDrop uses the Tor network of hidden servers to allow sources and reporters who never meet to exchange untappable messages. Among the many news outlets that have signed on are the Washington Post, the New York Times, and the New Yorker.

Now suppose that the U.S. government demanded that a backdoor be built into SecureDrop. After all, in the view of law enforcement, to disclose classified information to the news media is a crime. Under the Obama administration, more leakers were prosecuted for espionage -- espionage! -- than in all prior administrations combined.

Clear thinking from leading voices in business, economics, politics, foreign affairs, culture, and more.

Share the View

Why, then, are my feelings mixed? Because what Comey says is also likely true. The easy availability of state-of-the-art encryption does make the job of law enforcement more difficult. Terrorists would have to be very foolish indeed not to take advantage of the secure communications that modern technology makes available. In a word of reasoned and reasonable conversations, we might have an actual public conversation about how to strike the balance. But in a world where the model for public argument is the partisan screed, I fear I have to vote against trusting the good guys. Thats a painful line to write. Its also where we are.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story: Stephen L. Carter at scarter01@bloomberg.net

To contact the editor responsible for this story: Tracy Walsh at twalsh67@bloomberg.net

Read the rest here:
I Side With the 'Bad Guys' on Encryption - Bloomberg - Bloomberg

Encrypted websites now handle more than half the world's web traffic, but the way the keys for those connections are exchanged and verified hasn't changed much in 20 years.

The current system relies on a global network of certificate authorities (CAs) to verify the public key and the owner of each secure website. It has long been criticized for creating central points of failure. And those central points, the CAs, have actually failed in some cases.

Some think blockchains the technology that manages key exchange for the $25bn bitcoin network could be the basis for a secure alternative.

Like blockchains, CAs began as a way to facilitate connected commerce. Veteran developer Christopher Allen who helped set up the first certificate authority, VeriSign said he imagined a system with several CAs where users would pick which ones to trust.

As the system has scaled, however, it's become impractical for everyday users to actively manage their trust in different authorities. Most now rely on their browser's default settings instead. Its now the browser companies that effectively control trust, giving them huge clout within the certificate industry.

"We've got a new centrality, which is the big browser companies," said Allen.

While control over trust has centralized, the number of certificate authorities has grown. There now hundreds of authorities in countries around the world, and a failure at any one of them undermines the whole system.

The worst incident to date was the collapse of the Dutch authority DigiNotar in 2011. Hacking DigiNotar allowed attackers to spy on around 300,000 Iranian Gmail accounts, and forced a temporary shut down of many of the Dutch government's online services.

Since then, there have been dozens of cases where CAs were caught issuing unverified certificates, using substandard security, or even trying to deceive browser companies. None of these had the same effects as DigiNotar, and the industry has raised security standards many times since 2011, but there are still those who think its time to look for a long-term alternative to CAs.

One of those alternatives was outlined in a 2015 white paper, written at a workshop Allen hosted called "Rebooting Web of Trust". The paper set out goals for a decentralized public key infrastructure (dpki) to replace the current, centralized system.

It reads:

"The goal of dpki is to ensure that ... no single third-party can compromise the integrity and security of the system as as whole."

In place of the current system, where domain ownership is recorded in the DNS and key are verified by CAs, Rebooting Web of Trust envisioned a secure namespace where domain registration and the key for each domain would be recorded on a blockchain.

The Ethereum Name System (ENS) is trying to create the same kind of secure namespace for the ethereum community. It gives us a first look at the challenges and opportunities of making these ideas work in practice.

Developer Alex Van de Sande said his team often uses the analogy of a sandwich to explain how ENS is designed. The 'bread' in the ENS sandwich are two simple contracts. One stipulates that if you own the domain, you're entitled to its subdomains. The other handles payments.

Like in a sandwich, the complicated part of ENS is in the middle. Thats the contract that sets the rules for name registration. ENS wants to avoid the problem of domain squatting, which was common during the initial internet domain name boom.

Theyre also pursuing the 'principle of least surprise', the idea that people shouldnt be too surprised by who actually owns a name. It might seem like common sense that Bank of America should have first dibs on bankofamerica.eth. But Van de Sande said that designing a system to implement that principle is very challenging, maybe even impractical.

He added thatENS will take the first year after the relaunch as an opportunity to learn how to improve the registration rules. If the rules change, he said, name owners will have a choice to upgrade or surrender their names for a refund.

Van de Sande said he hopes ENS will be a model for a wider use of similar ideas, adding:

"ENS reflects the way we wish the internet would be. It doesn't mean that it's actually going to be that way."

Another way to decentralize the infrastructure behind secure online communication is to ensure that users can verify the actual information they receive, rather than trying to secure the server-client connection.

Engineer Jude Nelson, who collaborated on the 2015 "Rebooting Web of Trust" white paper, told CoinDesk this is the goal of his startup, New York-based Blockstack.

Blockstack's system, which is currently in an alpha release, allows users to record their unique name and key on the bitcoin blockchain, and then lookup another user in order to verify the information they receive.

"With Blockstack, we're trying to make it so that developers can build server-less, decentralized, applications where users own their own data," said Nelson. "There are no passwords and developers don't have to host either of them."

This could, one day, reduce the need for the website encryption altogether.

Each of these projects reflects the same overarching goal: to reduce the role of third parties and give users more control.

Allen, who has convened the Rebooting Web of Trust group every six months since 2015, said he is working towards technologies that giveusers true sovereignty.

The many strings of letters and numbers that represent individuals online today are all registered with third parties. "You're not really buying it, you're renting it. You don't have true sovereignty," said Allen.

But Allen also sees many challenges ahead. One is usability. Systems that work for technically adept users may not scale to applications where most users will rely on defaults and wont be prepared to make choices about who to trust.

Allen said:

Weve learned in technology that giving users choice often doesnt work."

Meanwhile, the centralized system is also changing. Google is in the middle of rolling out its own solution to the pitfalls of the CA system a plan called Certificate Transparency, which requires CAs to log all trusted certificates in public view.

Google said it can verify log-inclusion and the log's honesty with Merkle trees, and the system has already allowed researchers to catch some bad certificates.

Googles idea is to keep the third party, but remove the trust. And this approach may prove to be a long-term competitor to blockchain-based projects which want to get rid of both.

Encryption machineimage via Shutterstock

DomainsBlockstackBrowsersENS

Here is the original post:
Are Blockchains Key to the Future of Web Encryption? - CoinDesk