Gemalto has introduced the latest in its encryption key offerings with the launch of Hold Your Own Key (HYOK) functionality for Microsoft Azure Information Protection customers.

The HYOK, part of Gemaltos SafeNet Luna Hardware Security Modules (HSMs), provides highly regulated organisations a way to manage, own and store their encryption keys in on-premise HSMs.

They can also securely share data with complete control over their keys, which the company says will allow enterprises to align data protection policies and business processes without comprising data security.

"Organisations using Microsoft Azure Information Protection services now have access to the convenient security features they're used to, without having to hand over ownership and control of their encryption keys to their cloud provider," comments Todd Moore, SVP of Encryption Products at Gemalto.

HYOK functionality can also be tied to Microsofts Active Directory Rights Management Services (AD RMS). The AD RMS can be used to form protection policies for top secret data and Azure RMS protection policies for sensitive data.

Azure Information Protection can enable secure internal and external collaboration. The SafeNet Luna HSM integration with the Azure Information Protection HYOK feature requires no change to the user experience or deployments.

Organisations can also control access to sensitive data by defining protection policies and use rights while all information protection features such as document tracking and revocation are also preserved.

"Combining the SafeNet Luna HSM with the Azure Information Protection's HYOK functionality, customers can continue to deploy customized data protection controls without compromising security or operational transparency of a user's applications, Moore says.

Dan Plastina, Microsofts partner director of Information and Threat Protection, says that the partnership offers specialised and integrated protection.

"Microsoft Azure Information Protection enables selective use of on-premises AD RMS services in a Hold-Your-Own-Key configuration (HYOK) for customers with deeply regulated data. Gemalto's SafeNet Luna HSMs seamlessly integrate with this hybrid Azure Information Protection configuration providing customers the full spectrum of specialised protection they need, he says.

Read more:
SecurityBrief NZ - Gemalto introduces on-prem encryption key solution for 'highly regulated' organisations - SecurityBrief NZ

Photonics.com Mar 2017 OXFORD, England, March 21, 2017 A device that can send unbreakable secret keys from a handheld device to a terminal could keep users' personal financial information more secure and safer in the event of a cyber-attack.

Researchers from Oxford University are using ultrafast LEDs and moveable mirrors to send a secret key from a device at a rate of more than 30 kilobytes per second over a distance of 0.5 meters.

"The idea is that this gadget would be a mobile object that talks to something that is fixed," said Iris Choi of Oxford University. If integrated into a cellphone, for example, the device could allow secure links to near-field communications mobile payment systems and indoor Wi-Fi networks.

The technology is a quantum key distribution system that relies on characteristics of a single photon to provide a bit a 1 or a 0 to build up a cryptographic key that can encrypt and decrypt information. Quantum keys are considered secure; if someone intercepts the quantum bits and then passes them on, the very act of measuring them alters them.

The system contains six resonant-cavity LEDs, which provide overlapping spectra of light. Each of the six is filtered into a different polarization, split into pairs to represent 1s and 0s. The circularly polarized LEDs provide the bits for the key, while the other pairs are used to measure the security of the channel and provide error correction. Every four nanoseconds, one of the channels produces a one-nanosecond pulse in a random pattern. On the other end, six polarized receivers pick up the light from their matching LEDs and convert the photons into the key.

The researchers equipped both the transmitter and the receiver with filters that select only a portion of the light, so they all shine with the exact same color, regardless of which polarization they produce. This feature in and of itself should deter hackers from breaking the code.

A quantum key must be long enough to ensure that an adversary cannot hack it simply by guessing randomly. This requires the system to transmit a large number of bits in less than a second. Achieving that high data transmission rate also requires that most of the photons get to where they're supposed to go. The Oxford prototype addresses this need through its innovative steering system.

Even someone trying to hold perfectly still has some motion in his hand. The research team measured this motion by looking at how the spot of a laser pointer moved as a person tried to hold it steady. They then optimized design elements of the beam-steering system, such as bandwidth and field of view, to compensate for hand movement.

To help the detector properly align with the transmitter and further correct for hand movement, both the receiver and the transmitter contain a bright LED with a different color than the quantum key distribution LED that acts as a beacon. A position-sensing detector on the other side measures the precise location of the beacon and moves a microelectromechanical systems (MEMS) mirror to align the incoming light with the fiber optics of the detector.

The team tested their idea with a handheld prototype made from off-the-shelf equipment. Choi said the design likely could be easily miniaturized in order to turn the system into a practical component for a mobile phone.

The Oxford teams research has been published in the Optical Society (OSA) journal Optics Express (doi.org/10.1364/OE.25.006784).

See the original post here:
Quantum Key System Uses Unbreakable Light-Based Encryption to Secure Data - Photonics.com

Usually I try to write articles that are not aimed at a particular distribution. Although I may give examples assuming a Debian-based distribution, whenever possible, I try to make my instructions applicable to everyone. This is not going to be one of those articles. Here, I document a process I went through recently with Debian preseeding (a method of automating a Debian install, like kickstart on Red Hat-based systems) that I found much more difficult than it needed to be, mostly because documentation was so sparse. In fact, I really found only two solid examples to work from in my research, one of which referred to the other.

In this article, I describe how to preseed full-disk encryption in a Debian install. This problem came up as I was trying to create a fully automated "OEM" install for a laptop. The goal was to have an automated boot mode that would guide users through their OS install and use full-disk encryption by default, but would make the process as simple as possible for users. Normally, unless you are going to encrypt the entire disk as one big partition, the Debian installer makes you jump through a few hoops to set up disk encryption during an install.

In my case, I couldn't just use the full disk, because I needed to carve off a small section of the disk as a rescue partition to store the OEM install image itself. My end goal was to make it so users just had to enter their passphrase, and it would set up an unencrypted /boot and rescue disk partition and an encrypted / and swap. As an additional challenge, I also wanted to skip the time-consuming disk-erasing process that typically happens when you enable disk encryption with Debian, since the disk was going to be blank to start with anyway.

Unfortunately, although there is a lot of documentation on how to automate ordinary partitioning and LVM with preseeding (I actually wrote a whole section on the topic myself in one of my books), I had a hard time finding much documentation on how to add encryption to the mix. After a lot of research, I finally found two posts (and as I mentioned, one of them referenced the other) that described the magic incantation that would enable this. Unfortunately, the only supported mode for encrypted disks in Debian preseed requires the use of LVM (something I confirmed later when I read the source code responsible for this part of the install). That's not the end of the world, but it would have been simpler in my mind if it didn't have that requirement.

Since you need a basic unencrypted /boot partition to load a kernel and prompt the user for a passphrase, I had to account for both and preserve a small 2GB rescue disk partition that already was present on the disk. After that, the remaining / and swap partitions were encrypted. Here is the partition section of the preseed config:

Read the original:
Preseeding Full Disk Encryption - Linux Journal

Today, a Brooklyn-based Secret Service agent learned what those of us without security clearance have known for years: Dont leave a laptop in your car if you dont want it to be stolen.

Law enforcement sources told both ABC and The New York Daily News on Friday that a laptop containing private informationincluding the floor plans for Trump Tower and information on the criminal investigation against Hilary Clintons use of a private email serverwas stolen from a Secret Service agents car.

This is how the Daily News described the crime:

The thief stepped out of a car, possibly an Uber, on a street in Bath Beach and stole the laptop from the agents vehicle, which was parked in the driveway of her home.

He was then seen on video walking away from the scene with a backpack.

The agent reported the laptop contained floor plans for Trump Tower, evacuation protocols and information regarding the investigation of Hillary Clintons private email server.

The agent also told investigators that while nothing about the White House or foreign leaders is stored on the laptop, the information on there could compromise national security.

Despite reports that the Secret Service is privately FREAKING and scrambling like mad, however, the agency is totally not panicking over this. Like, not at all.

In addition to telling ABC that the laptop can be wiped remotely, the agency assured the public in a statement that Secret Service issued laptops contain multiple layers of security including full disk encryption and are not permitted to contain classified information.

Im trying to reconcile how not having classified information on a laptop and having information that could compromise national security can exist in the same timeline, but the Secret Service says its no big deal, its all fine. Everything is just fine.

[The New York Daily News]

Read the original post:
Panicked Secret Service Says It Lost Encrypted Laptop But It's Fine, Everything's Fine - Gizmodo

If the tech industry is drawing one lesson from the latest WikiLeaks disclosures, it's that data-scrambling encryption works, and the industry should use more of it.

Documents purportedly outlining a massive CIA surveillance program suggest that CIA agents must go to great lengths to circumvent encryption they can't break. In many cases, physical presence is required to carry off these targeted attacks.

"We are in a world where if the U.S. government wants to get your data, they can't hope to break the encryption," said Nicholas Weaver, who teaches networking and security at the University of California, Berkeley. "They have to resort to targeted attacks, and that is costly, risky and the kind of thing you do only on targets you care about. Seeing the CIA have to do stuff like this should reassure civil libertarians that the situation is better now than it was four years ago."

More Encryption

Four years ago is when former NSA contractor Edward Snowden revealed details of huge and secret U.S. eavesdropping programs. To help thwart spies and snoops, the tech industry began to protectively encrypt email and messaging apps, a process that turns their contents into indecipherable gibberish without the coded "keys" that can unscramble them.

The NSA revelations shattered earlier assumptions that internet data was nearly impossible to intercept for meaningful surveillance, said Joseph Lorenzo Hall, chief technologist at the Washington-based civil-liberties group Center for Democracy & Technology. That was because any given internet message gets split into a multitude of tiny "packets," each of which traces its own unpredictable route across the network to its destination.

The realization that spy agencies had figured out that problem spurred efforts to better shield data as it transits the internet. A few services such as Facebook's WhatsApp followed the earlier example of Apple's iMessage and took the extra step of encrypting data in ways even the companies couldn't unscramble, a method called end-to-end encryption.

Challenges for Authorities

In the past, spy agencies like the CIA could have hacked servers at WhatsApp or similar services to see what people were saying. End-to-end encryption, though, makes that prohibitively difficult. So the CIA has to resort to tapping individual phones and intercepting data before it is encrypted or after it's decoded.

It's much like the old days when "they would have broken into a house to plant a microphone," said Steven Bellovin, a Columbia University professor who has long studied cybersecurity issues.

Cindy Cohn, executive director for Electronic Frontier Foundation, a group focused on online privacy, likened the CIA's approach to "fishing with a line and pole rather than fishing with a driftnet."

Encryption has grown so strong that even the FBI had to seek Apple's help last year in cracking the locked iPhone used by one of the San Bernardino attackers. Apple resisted what it considered an intrusive request, and the FBI ultimately broke into the phone by turning to an unidentified party for a hacking tool --" presumably one similar to those the CIA allegedly had at its disposal.

On Wednesday, FBI Director James Comey acknowledged the challenges posed by encryption. He said there should be a balance between privacy and the FBI's ability to lawfully access information. He also said the FBI needs to recruit talented computer personnel who might otherwise go to work for Apple or Google.

Government officials have long wanted to force tech companies to build "back doors" into encrypted devices, so that the companies can help law enforcement descramble messages with a warrant. But security experts warn that doing so would undermine security and privacy for everyone. As Apple CEO Tim Cook pointed out last year, a back door for good guys can also be a back door for bad guys. So far, efforts to pass such a mandate have stalled.

Still a Patchwork

At the moment, though, end-to-end encrypted services such as iMessage and WhatsApp are still the exception. While encryption is far more widely used than it was in 2013, many messaging companies encode user data in ways that let them read or scan it. Authorities can force these companies to divulge message contents with warrants or other legal orders. With end-to-end encryption, the companies wouldn't even have the keys to do so.

Further expanding the use of end-to-end encryption presents some challenges. That's partly because encryption will make it more difficult to perform popular tasks such as searching years of emails for mentions of a specific keyword. Google announced in mid-2014 that it was working on end-to-end encryption for email, but the tools have yet to materialize beyond research environments.

Instead, Google's Gmail encrypts messages in transit. But even that isn't possible unless it's adopted by the recipient's mail system as well.

And encryption isn't a panacea, as the WikiLeaks disclosures suggest.

According to the purported CIA documents, spies have found ways to exploit holes in phone and computer software to grab messages when they haven't been encrypted yet. Although Apple, Google and Microsoft say they have fixed many of the vulnerabilities alluded to in the CIA documents, it's not known how many holes remain open.

"There are different levels where attacks take place, said Daniel Castro, vice president with the Information Technology and Innovation Foundation. "We may have secured one level (with encryption), but there are other weaknesses out there we should be focused on as well."

Cohn said people should still use encryption, even with these bypass techniques.

"It's better than nothing," she said. "The answer to the fact that your front door might be cracked open isn't to open all your windows and walk around naked, too."

2017 Associated Press under contract with NewsEdge/Acquire Media. All rights reserved.

The rest is here:
What the CIA WikiLeaks Dump Tells Us: Encryption Works - NewsFactor Network