Hewlett Packard Enterprise on Thursday announced that it has developed the first format-preserving encryption tool that meets federal government standards for use by agencies and government contractors.

The companys data security branch has been engaging with the National Institute of Standards and Technology (NIST) for several years to validate the encryption tool.

Format-preserving encryption maintains the format of the datas original text meaning that, for example, a 16-digit credit card number would be encrypted so that the output is another 16-digit number.

The encryption tool fits into Hewlett Packards data security product, called HPE SecureData, which has already been used in the private sector to secure banking records and other types of sensitive information.

Mark Bower, global director of product management at the company's data security branch, told The Hill that the product could have profound implications for government agencies and contractors trying to secure sensitive data from criminal and nation-state hackers.

The technology itself allows an organization to essentially go back in and retrofit or build in security or data privacy not only into the new applications they might be moving into [like] the cloud, but also in those highly-prized mission-critical [or] legacy systems that often are the backbone of government data processing, Bower said.

The ability to encrypt the data and keep the data useful when its encrypted means that you can essentially retrofit encryption into a lot of applications and processes and then do that without the heavy cost burden of traditional encryption, Bower said.

Information security in federal government systems has been a prime concern in the wake of the Office of Personnel Management breach, which compromised personal information of more than 20 million people and has been largely blamed on the agencys legacy systems. The breach was traced back to Chinese hackers.

Bower said that the company has already seen interest in the technology by U.S. federal agencies as well as other public organizations in other countries.

Here is the original post:
Hewlett Packard Enterprise touts encryption tool for federal clients - The Hill

The Internet Society has urged the G20 not to undermine the positive role of encryption in the name of security, claiming it should provide the foundation of all online transactions.

As the worlds leading economies met in Hamburg late last week, president and CEO of the non-profit, Kathryn Brown, called for ubiquitous encryption for the internet.

That comes amid a resurgence in encryption-bashing from some senior politicians, which have portrayed it as enabling terrorism in the wake of recent attacks in London and elsewhere.

Most notably, UK home secretary Amber Rudd went on the offensive, naming and shaming Facebooks WhatsApp for its use of end-to-end encryption.

Rudd and others around the world want to force tech firms to effectively create backdoors for law enforcers, so they can be used to intercept communications of suspects under investigation.

Even the historically more liberal European Commission recently claimed it was considering such a strategy.

However, the Internet Societys Brown argued that encryption should be made stronger and universal, not weaker.

Strong encryption is an essential piece to the future of the worlds economy and the Internet Society believes it should be the norm for all online transactions. It allows us to do our banking, conduct local and global business, run our power grids, operate, communications networks, and do almost everything else, she wrote.

However, rather than being recognized as the way to secure our online transactions or our conversations, all too often the debate focuses on the use of encryption as a way to thwart law enforcement. To undermine the positive role of encryption in the name of security could have devastating consequences.

Kevin Bocek, chief cybersecurity strategist for Venafi, agreed with the Internet Society, adding encryption was particularly important as we move to a world dominated by AI.

Machines have to be able to know which machine they are taking to they need privacy. This goes beyond enabling ecommerce and online banking all machine identities need to be protected and to do this we need encrypted and private communications, he added.

This is why our IoT-driven future, where decisions are made and business is conducted in the cloud through machines, needs encryption. If government wants to have an e-enabled, information society of the future, encryption is a required ingredient, not an optional one that can be picked up or put down at will.

The G20 has for the first time decided to hold ministerial meetings focused specifically on digital policy areas, and is also inviting non-governmental stakeholders to contribute, offering a great opportunity for a more balanced debate, Brown argued.

However, it remains to be seen whether Browns words will be heeded, especially as voters, politicians and headline writers appear to have little appetite to grasp the nuances of the argument for encryption.

A survey by Cable.co.uk last week revealed that most of the British public would feel safer without encryption.

A meeting of digital ministers in Dsseldorf last week appeared to focus mainly on global internet speeds and accessibility.

Visit link:
Make Encryption Ubiquitous, Says Internet Society - Infosecurity ... - Infosecurity Magazine

If you've been paying attention lately, you've likely noticed that more of your everyday websites are going HTTPS by default: Twitter, Facebook, LinkedIn, and even your favorite search engine.

This is a good development. For years, critics have derided default, widespread HTTPS encryption and authentication as unnecessary and performance-wasting. But now that we've seen most of the biggest websites go HTTPS, led by Google, the world is finding out it isn't such a bad idea.

In fact, it's great. It's time for us to go all the way and encrypt and authenticate everything!

At a time where the U.S. Congress is allowing ISPs to continue spying on users' private sessions, we need default HTTPS to protect our privacy. We need to incorporate security and privacy protections in all our communications, whether over the internet, telephone, cable, mobile phones, instant messaging -- any form of networked communications. We should demand constant protection of all that. It's the only way to make the internet truly more secure and private.

Computer security students use the acronym of CIA -- aka "confidential, integrity, availability" -- to describe why computer security is needed.

Confidentiality refers to keeping information from being seen by unauthorized parties. Integrity means making sure a person or computer is who they say they are (or that content has been unmodified since it's intended distribution). Availability is ensuring that a computer asset is accessible to authorized parties, thanks to such practices as preventing denial-of-service attacks.

We should apply the security CIA triad to all computing and network communications. That doesn't mean we have to apply the strongest and most expensive security to everything; security measures should be commensurate with data they protect. You wouldn't protect a website containing public information as strenuously as you'd protect weapon systems or classified information. But in general, all websites and services should have some basic level of encryption and integrity.

Conventional wisdom dictates that protecting assets and content that don't seem to demand strong computer security is wasteful, unnecessary, and performance-killing. As a result, only content that supposedly needs better protecting receives it. What we end up with is a hodgepodge of protection, often within the same site or service.

We're all accustomed to connecting to banking websites that start off unprotected, then switch to protected for a logon or transaction, often with single pages that contain a mix of protected and unprotected content. Sometimes it's hard to determine which is which. The complexity of sustaining differing levels of protection on the same site is confusing to us and our browsers.

As it turns out, it's simply easier for developers, browsers, and users to protect everything all the time.

I liken it to file-based encryption. With file-based encryption, either you or the system encrypts files on a file-by-file or folder-by-folder basis. This supports the idea that only certain items need to be protected. But file-based encryption almost always fails as true protection over the long run. Objects that should be protected don't get protected. Sensitive data leaks out. A simple application crash can leave confidential data exposed. Moreover, it's difficult to remove all confidential data even if you try, especially in today's growing world of memory storage media (which doesn't even let the operating system choose what data to delete or encrypt).

Volume- and disk-based encryption is becoming the norm. You turn it on, and every file, every data bit remnant is protected by default. This approach makes an unintended data reveal much less likely, and usually the protection is invisible to the user. We need to take lessons learned in the storage arena and apply them to the rest of the world. Widespread, default, pervasive protection works best.

Getting rid of all HTTP connections and moving to (or even requiring) HTTPS is a good way to start. HTTPS gives us encryption and integrity during network transmission. We need to require default, total media encryption on all disks and storage media. No USB key or camera memory card should be without it.

We also need to move from one-factor authentication to two-factor (or greater) authentication. Stronger authentication doesn't prevent all attacks, but it stops the phishing of credentials, which is very prevalent right now.

It's also important to authenticate all content to protect its integrity, although this flies in the face of conventional thinking. Why protect content anyone can acquire? Mainly because it's easier to encrypt everything, but also because all content needs integrity protection.

Suppose a government agency offers public documents that anyone can have, use, and share. It's important that what users download and share is authentic. You don't want someone changing a public document to say something else and disseminate it as if it were the genuine article.

You might argue that many documents, where the original author or distributor doesn't mind any modification, shouldn't be integrity-protected. Again I'll argue that it's easier, more accurate, and cheaper to protect everything than singling out winners and losers.

Even availability issues need to be worldwide. You might think it's OK for your site or service to go down, but in today's world, you never know what upstream or downstream entity is integrating with your offering. Besides, almost everything in the cloud is redundant already, and it's cheaper to protect everything rather than a few bits.

It's inevitable that enabling security universally, such as HTTPS or default encryption, will break some objects, especially those that were built before these security options were available or pervasive. So what? Welcome to the real world. If something breaks, it's time to fix it or forget it. Pervasive computer security shouldn't be held back by dinosaur apps and services.

All spies dislike the idea of pervasive encryption and other security protections. Again, so what? The ability to protect our personal privacy should trump any other societal need.

I and millions of others don't buy that government must be able to infiltrate every digital transaction to protect society from criminals and terrorists. Let me be clear: We are willing to put up with the idea that pervasive security makes it harder for law enforcement to do its job.

That said, I'm not suggesting that default, pervasive security is a panacea. If a bad group successfully breaks into your computer or into a website, it can pretty much do anything it wants, including disabling default security.

But having good security always turned on as default means even those events are less likely to happen. Requiring seat belts in cars and helmets on motorcycle riders doesn't stop car or motorcycle deaths. But it absolutely, significantly reduces the number of deaths and horrible, disabling injuries.

The internet and every device connected to it will one day have built-in, pervasive security, turned on by default. It's already happening. I want us all to recognize it, hop on the bandwagon, and get it done. It's the only way the internet has a chance to be significantly more secure.

Read more here:
Why we need to encrypt everything - InfoWorld

The Internet Society has called for the full encryption of the internet, decrying the fact that securing the digital world has increasingly become associated with restricting access to law enforcement.

In a blog post aimed at the leaders of the G20 economies, ISOC CEO Kathryn Brown argues that the digital economy "will only continue to thrive and generate opportunities for citizens if the Internet is strong, secure, and trusted," adding: "Without this foundation, the global digital economy is at risk."

The G20 will meet in Hamburg in July and one of the main agenda topics is the "spread of digital technology" and its impact on economic growth. Notably, there will be a "digital affairs ministers conference" for the first time at the summit, and the importance of the topic was highlighted with a special two-day preparatory meeting last week attended by "ministers in charge of digitalization."

"Germany wants them to agree to a concrete plan one that includes affordable Internet access across the world by 2025, common technical standards and a focus on digital learning," wrote Brown at the conclusion of that prep meeting, presumably having been briefed on discussions.

The post gives some figures on the digital economy 360 million people; 28 per cent of output is digital; the internet contributes $6.6tn a year before getting to the point: interconnection and security.

"The truth is that economies can only function within a secure and trusted environment," Brown notes, "which brings us to encryption."

Internet engineers have long been strong advocates of increased online security (something that has been difficult since the internet's earliest building blocks largely ignored the idea of malicious activity), and the Internet Society reflects that belief back: "Strong encryption is an essential piece to the future of the world's economy and the Internet Society believes it should be the norm for all online transactions. It allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and do almost everything else."

Brown goes on: "Encryption is a technical building block for securing infrastructure, communications and information. It should be made stronger and universal, not weaker."

But then she also notes that in the past year, the issue of encryption has become intricately tied up with the issue of law enforcement trying to gain access to people's communications and being unable to do so.

In the lead-up to the US presidential election, the fight between the FBI and Apple over the phone of San Bernardino shooter Syed Farook became a hot topic. Politicians and law enforcement called for a backdoor (or even a frontdoor) to the latest encryption efforts, and tech companies, security bods, civil society and some federal agencies called that notion "magical thinking" because any hole introduced into encryption software is an exploitable hole that anyone can use and abuse.

Last month, the issue re-emerged following an attack in London, when the UK home secretary Amber Rudd specifically criticized Facebook-owned WhatsApp for not providing access to the app-based conversations of attacker Khalid Masood.

Just days later, EU Justice Commissioner Vra Jourov said she would introduce legislation to make it easier for law enforcement to gain access to encrypted apps' data. That followed calls from French and German ministers for ways to access encrypted comms.

However, following a now-familiar backlash to such calls from cybersecurity experts, Rudd then downplayed her call for access to encrypted communications. Jourov's department insisted she did not mean to imply the legislation would cover encryption only access to data stored in the cloud by encrypted apps (which presumably she expects to be unencrypted).

ISOC CEO Brown is not happy about how this conversation is defining the debate around encryption. "Rather than being recognized as the way to secure our online transactions or our conversations, all too often the debate focuses on the use of encryption as a way to thwart law enforcement," she complains, arguing: "To undermine the positive role of encryption in the name of security could have devastating consequences."

The Internet Society is usually diplomatic to the point of saying nothing, so when its CEO says, "we should recognize that encryption is key to the future digital economy and stop treating it as simply an obstacle to law enforcement," it is clear that the level of frustration among internet engineers is high.

Hammering the point home, she adds: "We need to deconstruct the issues faced by law enforcement and policy makers and agree together how we can achieve a trusted digital economy underpinned by encryption."

ISOC clearly sees July's G20 Summit as the best opportunity to address that concern, with Brown calling it a "turning point that should not be missed." And its position is stated simply: "The Internet Society calls for ubiquitous encryption for the Internet. We strongly believe that this is the best foundation for trust in the digital economy, and we urge the G20 nations to stand behind encryption."

Whether that technical message makes it past the politics of terrorism is going to be hard to discern, but there is little doubt that a more secure online environment is going to be a healthier one financially and ISOC and others will be hoping that money talks louder than fear.

Read this article:
Internet Society tells G20 nations: The web must be fully encrypted - The Register

One of the United States Senates most tech-savvy members is asking why much of the US militarys email still isnt protected by standard STARTTLS encryption technology.

Last month, Sen. Ron Wyden (D-Oregon) shared his concerns with DISA, the federal organization that runs mail.mil for the US army, navy, marines and the Coast Guard:

The technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet. STARTTLS is widely supported by email server software but, critically, it is often not enabled by default, meaning email server administrators must turn it on.

Wyden noted that major tech companies including Google, Yahoo, Microsoft, Facebook, Twitter, and Apple use STARTTLS, as do the White House, Congress, NSA, CIA, FBI, Director of National Intelligence, and Department of Homeland Security but not DISA.

A 2015 Motherboard investigation originally uncovered the limited use of STARTTLS by U.S. government security agencies. Since then, Motherboard reports, many of the aforementioned agencies have started using STARTTLS but not DISA.

Wyden observed that until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties.

Even if all the military messages sent through DISAs servers are unclassified, if Wyden is correct, this might conceivably give adversaries additional insights into the US militarys structure, decision-makers, and decision-making processes.

Early reports on Wydens letter quoted DISA as saying that it would respond formally to him. DISA told Naked Security:

We are not at liberty to discuss specific tactics, techniques, and procedures by which DISA guards DOD email traffic. Email is one of the largest threat vectors in cyberspace. We can tell you that DISA protects all DOD entities with its Enterprise Email Security Gateway Solution (EEMSG) as a first line of defense for email security.

DISAs DOD Enterprise Email (DEE) utilizes the EEMSG for internet email traffic and currently rejects more than 85% of daily email traffic due to malicious behavior. DISA inspects the remaining 15% of email traffic to detect advanced, persistent cybersecurity threats. The Agency always makes deliberate risk-based decisions in the tools it uses for cybersecurity, to include email protocols for the DoD.

In the news you can use spirit, this might be a good time for a brief primer on STARTTLS. This SMTP extension aims to partially remedy a fundamental shortcoming of the original SMTP email protocol: it didnt provide a way to signal that email communication should be secured as messages hop across servers towards their destinations.

Using STARTTLS, an SMTP client can connect over a secure TLS-enabled port; the server can then advertise that a secure connection is available, and the client can request to use it.

STARTTLS isnt perfect. It can be vulnerable to downgrade attacks, where an illicit man-in-the-middle deletes a servers response that STARTTLS is available. Seeing no response, the client sends its message via an insecure connection, just as it would have if STARTTLS never existed. But, as the Internet Engineering Task Force (IETF) puts it, this opportunistic security approach offers some protection most of the time.

IETF says protocols like STARTTLS are:

not intended as a substitute for authenticated, encrypted communication when such communication is already mandated by policy (that is, by configuration or direct request of the application) or is otherwise required to access a particular resource. In essence, [they are] employed when one might otherwise settle for cleartext.

For context, Google reports that 88% of the Gmail messages it sends to other providers are now encrypted via TLS (in other words, both Google and the other provider supports TLS/STARTTLS encryption); 85% of messages inboundto Gmail are encrypted.

Would STARTTLS offer value in securing the military communications DISA manages through mail.mil? From the outside, its easy to say Yes. But it sure would be fascinating to hear the technical conversation between DISAs security experts and Senator Wydens.

Email service providers are caught on the horns of a dilemma, it seems. Naked Securitys Paul Ducklin says:

STARTTLS only deals with server-to-server encryption of the SMTP part, so it isnt a replacement for end-to-end encrypted email in environments where thats appropriate.In other words, there are situations in which you may be able to make a strong case for not needing STARTTLS. But my opinion is that its easier just to turn on STARTTLS anyway just think of all the time youll save not having to keep explaining that strong case of yours.

As for you: if you arent using STARTTLS wherever its available to you, why not?

Read the rest here:
Why isn't US military email protected by standard encryption tech? - Naked Security