Category Archives: Encryption
EU urged to prepare for quantum cyberattacks with coordinated action plan – CSO Online
The European Union (EU) must prepare for quantum cyberattacks and adopt a new coordinated action plan to ensure a harmonized transition to post-quantum encryption to tackle quantum cybersecurity threats of the future. That's according to a new discussion paper written by Andrea G. Rodr?guez, lead digital policy analyst at the European Policy Centre.
Advances in quantum computing put Europe's cybersecurity at risk by rendering current encryption systems obsolete and creating new cybersecurity challenges, Rodr?guez wrote. This is often coined "Q-Day" - the point at which quantum computers will break existing cryptographic algorithms - and experts believe this will occur in the next five to ten years, potentially leaving all digital information vulnerable to malicious actors under current encryption protocols. For Europe to be serious about its cybersecurity ambitions, it must develop a quantum cybersecurity agenda, Rodr?guez stated, "sharing information and best practices and reaching a common approach to the quantum transition" across member states.
Quantum computing will disrupt online security by compromising cryptography or by facilitating cyberattacks such as those on digital identities, Rodr?guez wrote. "Cyberattacks on encryption using quantum computers would allow adversaries to decode encrypted information, interfere with communications, and access networks and information systems without permission, thereby opening the door to stealing and sharing previously confidential information," she warned.
"Given that the prospects of a cryptographically significant quantum computer - one able to break encryption - are not a question of if but rather when, cybercriminals and geopolitical adversaries are rushing to obtain sensitive encrypted information that cannot be read today to be de-coded once quantum computers are available." These types of cyberattacks, known as "harvest attacks" or "download now-decrypt later," are already a risk to European security.
The impact of quantum computing on Europe's cybersecurity and data protection has been mainly left out of the conversation despite sporadic mentions in some policy documents such as the 2020 EU Cybersecurity Strategy or the 2022 Union Secure Connectivity Programme, Rodr?guez said.
The US arguably leads the transition to post-quantum cybersecurity, in which post-quantum cryptography will be the protagonist, according to Rodr?guez. The National Institute of Standards and Technology (NIST) has initiated a standardization process of post-quantum cryptography algorithms, while the Quantum Cybersecurity Preparedness Act, established in 2022, sets up a roadmap to migrate government information to post-quantum cryptography, Rodr?guez wrote.
"In 2023, the new US National Cybersecurity Strategy established protection against quantum cyberattacks as a strategic objective. This priority encompasses the use of post-quantum cryptography and the need to replace vulnerable hardware, software, and applications that could be compromised."
Meanwhile, the EU's efforts to secure information from quantum cyberattacks lack a clear strategy about how to deal with short-term threats, she added. The narrow focus at the EU level on how to mitigate short-term quantum cybersecurity challenges, especially harvest attacks and quantum attacks on encryption, leaves member states as the frontline actors in the quantum transition, Rodr?guez said. "As of 2023, only a few EU countries have made public plans to counter emerging quantum cybersecurity threats, and fewer have put in place strategies to mitigate them, as in the case of Germany."
As quantum computers develop, European action will be needed to prevent cybersecurity loopholes that can be used as attack vectors and ensure that all member states are equally resilient to quantum cyberattacks. "A Coordinated Action Plan on the quantum transition is urgently needed that outlines clear goals and timeframes and monitors the implementation of national migration plans to postquantum encryption," Rodr?guez claimed.
Such a plan would bridge the gap between the far-looking objective of establishing a fully operational European Quantum Communication Infrastructure (EuroQCI) network and the current needs of the European cybersecurity landscape to respond to short-term quantum cybersecurity threats. Europe can also leverage the expertise of national cybersecurity agencies, experts, and the private sector by establishing a new expert group within ENISA where seconded national experts in post-quantum encryption can exchange good practices and encourage the establishment of migration plans, Rodr?guez wrote.
Rodr?guez's paper set out six recommendations for an EU quantum cybersecurity agenda.
Continue reading here:
EU urged to prepare for quantum cyberattacks with coordinated action plan - CSO Online
Content Moderation, Encryption, and the Law – Tech Policy Press
Audio of this conversation is available via your favorite podcast service.
One of the most urgent debates in tech policy at the moment concerns encrypted communications. At issue in proposed legislation, such as the UKs Online Safety Bill or the EARN It Act put forward in the US Senate, is whether such laws break the privacy promise of end to end encryption by requiring that content moderation mechanisms like client-side scanning. But to what extent are such moderation techniques legal under existing laws that limit the monitoring and interception of communications?
Todays guest is James Grimmelmann, a legal scholar with a computer science background who along with Charles Duan recently conducted a review of various moderation technologies to determine how they might hold up in under US federal communication privacy regimes including the Wiretap Act, the Stored Communications Act, and the Communications Assistance for Law Enforcement Act (CALEA). The conversation touches on how technologies like server side and client side scanning work, the extent to which the law may fail to accommodate or even contemplate such technologies, and where the encryption debate is headed as these technologies advance.
What follows is a lightly edited transcript of the discussion.
Justin Hendrix:
James, Im happy to have you back on the podcast this time to talk about a paper that I believe is still in the works, Content Moderation on End to End Encrypted Systems: A Legal Analysis with your co author, Charles Duan.
I would love to just get you to, in your own words, say why it is you chose at this moment to set out to write this piece of work.
James Grimmelmann:
So this comes out of work that some of my colleagues at Cornell Tech have been doing. Tom Ristenpart, whos a computer scientist, and his group have been working on, lets call it online safety.
With the technologies people use now, so one branch of their work, which has been very influential, deals with securing peoples devices in cases that involve intimate partner abuse. Those are cases where the threats are literally coming from inside the house and the abusers may have access to peoples devices in ways that traditional security models didnt include.
Another major strand that Tom and his team have been working on has to do with abuse prevention in end to end encrypted systems. So encrypted messaging is where the message is scrambled in a way so that nobody besides the sender and recipient can read it. Well, if youre sending that message through a server, through email or through a messaging system like Facebook Messenger or WhatsApp or Signal.
Then the question arises, is the message encrypted on its way from you to the Facebook servers and then from Facebook servers to its recipient, or is it encrypted in a way that not even Facebook can read it? If its encrypted in a way that only you and the person youre sending it to can read it, and Facebook sees it as just an equally random string of gibberish, thats called end to end encryption.
And this has been promoted as an important privacy preserving technology, especially against government agencies and law enforcement that might try to surveil communications or have the big platforms do it for them. A challenge, however With end to end encrypted messaging is that it can be a vector for abuse.
If the platform cant scan its contents, it cant look for spam or scams or harassment. Somebody who sends you harassing messages through Facebook Messenger, youll receive it. But Facebooks detectors wont know it. And If you try to report it to Facebook, then Facebook doesnt have direct evidence of its own.
This was actually received through its platform. Its open to potential false reports of abusive messaging. And so in that context, Tom and other computer scientists have been trying to find techniques to mitigate abuse. How can you report abusive messages to a platform? Or if youre a member of a group that uses encrypted communications for all members of the group, and some platforms do now have, and encrypted group chats, how can you and the other participants say, so and so is being a jerk in our community. We dont want further messages from them. And so theres this broad heading of computer science work on abused mitigation in end to end encrypted communications.
Long background on a bunch of computer science stuff, I am here as the law talking guy. So my postdoc Charles and I he, like me, has a background in computer science as well as law have been working with the computer scientists on the legal angles to this.
And in particular, Charles and I have been asking, do these abuse prevention mechanisms comply with communications privacy law? There are laws that prohibit wiretapping or unauthorized disclosure of stored electronic communications. Do these techniques for preventing abusive communications comply with the various legal rules that aim to preserve privacy?
Because in many ways, it would be a really perverse result if people using a technology designed to preserve their privacy cant also use a technology that makes those messaging safe because they would be held to have violated each others privacy. Something very backwards about that result, but our communications privacy laws are so old that it takes a full legal analysis to be certain that this is safe to do.
So our draft, which is very long, goes through a lot of those legal details.
Justin Hendrix:
So I want to get into some of the questions that you pose, including some of the normative questions that you kind of address towards the end of the paper, which pertain to news of the moment questions around. The Online Safety Bill in the UK, for instance, and the fight over encryption thats happening there, et cetera.
I do want to give the paper its due and go through what youve tried to do methodically on some level. But I do want to start perhaps with that last point you just made, which is this idea that these technologies, encrypted messaging apps, are a different generation of communications technology that the law didnt anticipate.
Is that broadly true in your view?
James Grimmelmann:
Thats probably true. Our communications privacy laws were written. Literally, with previous generations of technology in mind, its called wiretapping because this applies to wire communications, which is a telegraph or a telephone that has a physical wire running and ultimately from one person to the other.
And we still use that terminology. And there are still a lot of assumptions from older technologies baked into how the laws are written and the concepts that they use.
Justin Hendrix:
So lets talk about the spate of laws that you looked at here. You looked at the Wire Tap Act; the Stored Communications Act; Pen Registers and Trap and Trace Devices; the Computer Fraud and Abuse Act; and the Communications Assistance for Law Enforcement Act CALEA, as some folks will know it. Are there other laws that perhaps youll have to look at in the final analysis?
James Grimmelmann:
So weve been taking this paper around to conferences, and we got excellent feedback that we also need to address mandatory reporting laws around child sexual abuse material. Because those two impose certain obligations on telecommunications providers or possibly participants when they become aware of certain kinds of material and so moderation techniques that could make them aware of those materials definitely trigger the obligations of those laws. I think its ultimately the five you mentioned plus the CSAM laws.
Justin Hendrix:
So lets talk about the moderation approaches. And maybe it would be helpful for us to just go through them one by one. And in your words, if you can offer a description of what these technologies are.
James Grimmelmann:
Okay, lets start with message franking, which is really a technique designed to address the kind of scenario I mentioned to you before. Youre using an end to end encrypted messaging system, and somebody sends you something abusive.
Pictures of their genitals, repeated messages saying, I hope you die, something that you really dont want to receive. And the technical challenge that its trying to solve is how do you make this reportable to the platform so the platform can help you without undermining the privacy guarantees of end to end encrypted messaging in the first place.
And the solution, which is incredibly ingenious technically, is to allow for a kind of verified reporting in which the recipient of a message can send a report to the platform that is provably based upon actual messages. The recipient cant forge the message and say, Oh, this person sent me this abuse of content, when they didnt actually send it.
So the sender is locked in. They are committed to anything that they send. And if the recipient decides its abusive, they can report it at the same time. The platform should learn nothing. Unless the recipient actually chooses to make a report unless and until that person says, I didnt want to receive this.
This violates platform policies. The platform should have to tell nothing about the message at all. And it turns out that by basically putting a couple of well designed electronic signatures on each message, you can design a system that does this. Its called message franking. The idea being like you frank a message with a stamp, and rubber stamp, you know, carries all the information the platform recipient will later need in case of an abuse report.
And Im lumping forward tracing together with message franking because its basically an extension of it. In forward tracing, if a message is reported as abusive, The platform can trace it back not to the person who sent that specific message, but to everybody before them in a chain if it was forwarded, and that might be relevant.
If a message gets forwarded to somebody and says, this is actually like illegal material that I did not want to be involved with. The platform can then run it back to the original sender who introduced it to the network, which could be useful in rooting out somebody who is using it for abusive purposes.
So basically, its a clever application of cryptographic techniques that have been invented in this millennium after all of the communications privacy laws we discussed were drafted.
Justin Hendrix:
And which of the encrypted messaging apps that folks are familiar with at the moment are using this technique?
James Grimmelmann:
So its basically research stage. Facebook is the one that is leading the way in terms of developing this technology. Facebook was one of the their research arm was one of the original creators of one of the original message franking proposals. So theyre the one that has invested the most in making this workable.
Justin Hendrix:
And of course, Facebook intends to make its Messenger encrypted by the end of the year, its promised. So perhaps its interested in doing so alongside the introduction of technologies like this. Lets talk about whether this comports with the various laws and frameworks that youve assessed. How does it stand up when you look back at the statute?
James Grimmelmann:
So this is an answer Ill probably give you repeatedly, which is, we think its okay, but were less certain about that than we would like to be.
So lets take the wiretap act. The wiretap act, as you might expect, prohibits intercepting electronic communications in a way that lets you learn their contents. And the classic case here is like the literal wiretap plugging into a phone cable. Or also connecting to a network box and just grabbing a copy of somebodys incoming email in flight as it arrives.
And it might seem like, well, theres no interception here because only when theres an actual abuse report made to the platform does the platform learn the contents of a message, but its not quite that clean because the definition of contents in the Wiretap Act is quite broad. The statute defines it as any information concerning the substance purport or meaning of a communication.
And theres a non frivolous argument that this little franking tag, the little stamp that the platform gets applied to each message actually does contain some information about the substance of the message. It does allow the platform to verify the messages authenticity, and there are courts that have expressed at least doubt about whether this kind of metadata verifies a messages contents is in fact itself also contents. And if you go down that road, you wind up then asking a whole bunch of other statutory questions under the Wiretap Act. Does the participation of the platform in applying the franking tag to a message as it gets sent through from sender to recipient, Is that an interception under the statute again textually a hard question, and then perhaps most interestingly, and this was one really opens up a thorny set of issues.
Should we think about the participants in this communication as having consented to this process. Should the sender of the message be able to say, Wait a minute. I didnt consent to all of this cryptographic mumbo jumbo that you did when I sent a message. I did not consent to the steps necessary to verify me as the sender. I thought I was using a completely encrypted end to end messaging system. I did not agree to any of this.
And from one perspective, this is a bad argument for a person sending abusive messages to make. But from another, they do have a point that this does not completely comport with the way that end to end encrypted messaging is used in the broad public discourse.
If you think of it as meaning no one besides you and the recipient can ever learn anything about your message, then this is a small inroads on the privacy guarantees of E2EE.
Justin Hendrix:
So were going to come back to that last comment I think more than once as we go through this and perhaps well address it in the summary conversation as well because I think you might be able to say that about each of these things.
But next you go to server side automated content scanning. A lot of folks like to toss out this phrase, homomorphic. Encryption. I liked the somewhat artful description you have of this technique where the server learns nothing. Ill read it.
Imagine a blindfolded chef wearing thick mittens who follows instructions to take things out of a box, chop them up, put them in the oven for an hour at three 50 degrees, and then put it back in the box. This chef can roast vegetables for you, but doesnt learn whether you were roasting potatoes or parsnips. Its a pretty good description, I suppose, of how this is supposed to work, technically.
Lets talk first, perhaps, about whether this technology works at all.
James Grimmelmann:
So, homomorphic encryption is another one of these really interesting modern developments in cryptography.
The idea is that you can perform a computation on some data without learning anything about the data. And this seems like a kind of pointless thing to do if its just you working with your own data. But if you have some untrusted party who has a lot of Processing capacity and you want them to do some work for you.
Its actually quite valuable. Like if the chef can run an efficient enough kitchen, we might all hand off our vegetables to them to do this for us. And in particular, homomorphic encryption could be used to scan content for matching against certain kinds of. Like CSAM, Child Sexual Abuse Material registries, or certain kinds of spam detection, without letting the person doing the scanning know that it has been scanned in that way.
And you might think, well, whats the point then? Well, you can modify the message being transmitted. To flag it for the recipient so that before you open that picture of somebodys genitals, you might get a warning saying the attached image appears to be of somebodys genitals. Do you wish to proceed? And that would actually be a meaningful anti abuse factor that the server does this matching against a complicated model for you.
You dont have to have the whole huge database of these pictures on your device, and you might not be in a position to do it yourself easily. The platform can do this to help warn people about the messages that theyre receiving.
Justin Hendrix:
Is this a legal technology, at least according to the laws that you reviewed?
James Grimmelmann:
Again, we think its legal, but were not as certain as we would like to be. Take the wiretap attack analysis. The platform can do things that manipulate the message. Once again, were in that world of asking, is it receiving contents? Here, the argument against liability depends, I think, on some of the exceptions to Wiretap Act liability that the Act includes in it.
So, for example, the Wiretap Act has this exception for the ordinary course of business. In which platforms can inspect messages part of their ordinary operations and platforms routinely do spam detection and antivirus scanning on our message attachments already. So this seems to fit within the class of things that they already do.
The analysis under the other statutes is also pretty good. One of the nice things about this kind of encryption is that platforms dont retain any information once they do the processing. They send it out, it leaves their system. That means that they are not retaining the kinds of stored communications that could trigger the Stored Communications Act.
Thank you. We like it. We would like this to be legal. We think it is. We dont have 100% certainty.
Justin Hendrix:
And is it the case, based on your review, that this technology is still fragile, still unlikely to work at scale?
James Grimmelmann:
Its not scalable currently. Ordinary computation is fast. Applying and removing encryption is reasonably fast.
Homomorphic encryption is kind of slow. The work you have to do in order to compile your computation down into the kind of thing you can do blindfolded with mittens on makes it a lot less efficient. Its not surprising. Anything you do wearing thick, heavy gloves is going to be a lot less effective because you cant feel what youre doing.
And so its not a scale worthy technology yet, but its impossible enough than it might be that its worth thinking in advance about its legality.
Justin Hendrix:
So next well talk about what is, you know, perhaps the most discussed potential form of content moderation for encrypted. Messaging apps these days, client side automated content scanning.
Of course, Apple proposed one such system. Apparently the UK Home Office is funding the development of prototypes in this space, perhaps in anticipation of the potential passage of the Online Safety Bill there. How does client side scanning work? Do you have another cooking metaphor that could explain this one to us?
James Grimmelmann:
And not quite as elegantly client side scanning is really you have the client that you are using to send messages. So the Facebook Messenger app or the Signal app or Apples messaging app would perform some kind of computation, some check of your content on the device before it sent or when its received, and the scanning then can flag either for the user or for some external authority, whether it matches against some database of concerning communications.
Justin Hendrix:
And is it legal?
James Grimmelmann:
This gets really complicated, in part because of the diversity of these systems. There are a lot of different architectures. Some of them involve trying to scan against databases without revealing to the client whats in the database. Because if you figure if a database is a prohibited content, you cant just give everybody a complete copy of the things youre not supposed to have.
And also because they involve communications, that is, if Im trying to query what Ive got on my device against some database of things. It may involve sending a comp, a digest of what Ive got out to the network and back. And does that process constitute an interception? This brings us back to the same kinds of questions we asked when we were doing message franking.
Have I, as the user of this app, consented to have my data scanned in this way? And possibly to have some flag about its status being sent to the third party whos providing this app. Again, this is a hard question. I dont think you can answer it fully on the technical side. You cant just say, well because this app works this way and you ran the app you consented to it.
That same argument would say you consented to spy on your phone. But you also cant Just say, well, I didnt want this. So its, theres no consent at some point. People have to know how the software theyve been chosen to run. Its been explained to them works, or we have, you know, serious, you know, computer law violations.
Every time anybody is surprised by an app feature. So its going to be very fact dependent in a slightly uncomfortable way.
Justin Hendrix:
Youve mentioned theres some variability in terms of how these client side scanning schemes work. Are there versions of client side? scanning that you are more comfortable with than others?
Are there those that youve seen that you would regard as, you know, potentially spyware or very concerning from a privacy standpoint and ones that perhaps, I guess, are a little more responsible?
James Grimmelmann:
I mean, the obvious dividing line here is a client side app. That reports the results out to a third party versus one that merely reports it to parties to the communication.
That is, I might very well as a recipient want to have had the senders device do a client side scan and have a cryptographic certification that it didnt include stuff in this abusive database. I could see that, and if thats not revealed to anybody outside the communication, it seems reasonably privacy friendly.
If its scanning against the government provided database of terrorist supporting content, or the kinds of safety concerns that the UK Home Office would like to be monitoring for, thats a bigger intrusion on privacy. Now, it may be that the particular things on this list are particularly concerning, but you get into the fact that this is scanning your messaging for reporting out to the government, and you get into serious questions about the transparency of the process by which things are added to that database.
And so you really cant assess the privacy implications without having a larger conversation about the institutional setting.
Here is the original post:
Content Moderation, Encryption, and the Law - Tech Policy Press
The importance of encryption for the defence industry in today’s … – defenceWeb
In todays increasingly digital world, the defence industry is increasingly adopting cutting-edge technologies to enhance its capabilities. These technologies, such as the Internet of Things (IoT), cloud computing, artificial intelligence (AI), and virtual reality (VR), offer tremendous opportunities for improved operations and services.
However, their integration brings forth new challenges related to security, privacy, and the reliability of underlying systems. As a result, robust cybersecurity solutions, including encryption, are vital to protect sensitive data.
In the past two decades, a staggering number of records (numbering in the billions) have been stolen or compromised, with barely a week going by without news of a major data breach. This month, for example, the Pentagon announced plans to tighten protection for classified information following the explosive leaks of hundreds of intelligence documents that were accessed through security gaps at a Massachusetts Air National Guard base by Guardsman Jack Teixeira. The leak is considered the most serious US national security breach since more than 700 000 documents, videos and diplomatic cables appeared on the WikiLeaks website in 2010.
Breaches on the rise
Only a few weeks ago, MOVEit, a popular file transfer tool, was compromised, leading to the sensitive data of many companies who use the software being compromised. Affected companies include payroll provider Zellis, British Airways, BBC, and the province of Nova Scotia. In May, it was alleged that vehicle manufacturer Suzuki had to stop operations at one of its plants in India after a cyberattack, incurring a production of loss of more than 20 000 vehicles during this time.
The defence industry and military have been targeted as well. Last year Kon Briefing recorded 34 major cyberattacks on the military and defence industry, which amongst others saw 1.7 million Polish Army logistics data sets published; data about 120 000 Russian soldiers fighting in Ukraine leaked; over 15 000 emails from a Russian military construction company leaked; 400 000 emails of the Chilean Ministry of Defence leaked; a database of the Russian military intelligence service leaked; and secret NATO documents from Portugal offered for sale on the Darknet etc.
What has emerged as a leading cause of data loss or compromise, was data stored on mobile or removable devices, as well as internal breaches that happened as a result of unauthorised employee access to private data. The theft of devices has also been revealed as a major factor in data breaches, and the loss of confidential information is not limited to theft of the device alone, as malware attacks increasingly go after proprietary business information and customer data.
A list of dire consequences
Furthermore, the consequences of a data breach go way beyond the direct financial costs alone, including the loss of confidence and irreparable damage to an organisations reputation. Add to this the fact that data security and privacy have become legally mandated in many major markets as the environment grows more stringent, with regulations such as PoPIA and GDPR working to safeguard sensitive information.
So what can be done to mitigate the damage of stolen devices, or malware that exfiltrates company or military information? The answer is encryption, which has emerged as a critical defence mechanism. By making use of encryption, organisations render their most confidential data useless to nefarious actors or viewers who are not authorised, guaranteeing its protection and ensuring the confidence of their stakeholders.
What is data encryption?
Data encryption refers to the process of converting data from its original form into an unreadable format called ciphertext, meaning it becomes useless to unauthorised parties. To turn the data back into its original state, a specific encryption key or cipher is needed.
Although data varies greatly in nature, encryption can be applied to practically every type of data. Encryption can be employed when data is at rest, which means it is stored in a fixed location such as a disk. It can also be employed when data is in motion, being transmitted over a network. Data encryption is also compatible with a host of operating systems, file systems, block data, bare-metal servers, virtual machines, and virtual disks.
Certain data, such as the information stored in the /proc directory on a Linux server, may not necessarily need to be encrypted, and in these cases, alternative security measures such as file-level access control should be implemented to safeguard the data.
The effectiveness of different encryption algorithms varies depending on the types of data being encrypted. Additionally, the performance of these algorithms can be influenced by the underlying infrastructure on which they are implemented.
Some algorithms may demonstrate superior performance in environments with abundant memory but limited CPU power, while others may excel in CPU-intensive environments. It is therefore recommended to experiment with different encryption algorithms to identify the ones that align best with the businesss specific requirements.
Best practices
There are also some best practices that militaries and defence businesses should follow when embarking on an encryption journey.
Firstly, safeguarding the encryption keys is crucial. Mistakes can happen, and if the encryption key is compromised, unauthorised access to company data becomes a real danger. Avoid storing the key in an unencrypted file on your computer. Instead, adopt measures such as separating the keys from the data, implementing user access restrictions and responsibilities, and regularly rotating encryption keys based on a predetermined schedule.
Next, encrypt all sensitive data, irrespective of its storage location or perceived risk. Breaches are seen as an inevitability now, so by encrypting sensitive data, the business significantly increases the barriers to unauthorised actors attempting to breach the systems.
Finally, effective data encryption involves making data unreadable to unauthorised parties while maintaining efficiency and utilising resources optimally. If the encryption process is overly time-consuming or consumes excessive CPU time and memory, consider switching to a different algorithm or experimenting with encryption tool settings to strike a balance between security and performance.
By embracing encryption as an essential security measure, the defence sector can fortify its data protection capabilities, maintain confidentiality, and instil confidence among stakeholders. Encryption serves as a cornerstone in safeguarding sensitive information, preserving national security, and supporting the defence sectors digital transformation endeavours.
Written by Caryn Vos, Senior Manager: Crypto at Altron Systems Integration
Vos has specialised in information security for over 20 years, during which time she has dealt with all facets of this industry. This has given her a deep and broad understanding of information security as a whole. While she has focused on the financial services sector for many years, she has also worked with most industries during the course of her career. She has built an extensive network throughout the channel and end-user customer base and has extensive experience in dealing with end users as well as through partners.
For more information contact me via LinkedIn https://www.linkedin.com/in/caryn-vos-4763047/
Continue reading here:
The importance of encryption for the defence industry in today's ... - defenceWeb
Senate Bill Crafted With DEA Targets End-to-End Encryption … – Slashdot
A bill requiring social media companies, encrypted communications providers and other online services to report drug activity on their platforms to the U.S. Drug Enforcement Administration (DEA) advanced to the Senate floor Thursday, alarming privacy advocates who say the legislation turns the companies into de facto drug enforcement agents and exposes many of them to liability for providing end-to-end encryption. From a report: The bipartisan Cooper Davis Act -- named for a Kansas teenager who died after unknowingly taking a fentanyl-laced pill he bought on Snapchat -- requires social media companies and other web communication providers to give the DEA users' names and other information when the companies have "actual knowledge" that illicit drugs are being distributed on their platforms.
Many privacy advocates caution that, if passed in its current form, the bill could be a death blow to end-to-end encryption services because it includes particularly controversial language holding companies accountable for conduct they don't report if they "deliberately blind" themselves to the violations. Officials from the DEA have spent several months honing the bill with key senators, Judiciary Committee Chairman Dick Durbin (D-IL) said Thursday. Providers of encrypted services would face a difficult choice should the bill pass, said Greg Nojeim, Senior Counsel & Director of Security and Surveillance Project at the Center for Democracy and Technology. "They could maintain end-to-end encryption and risk liability that they had willfully blinded themselves to illegal content on their service and face the music later," Nojeim said. "Or they could opt to remove end-to-end encryption and subject all of their users who used to be protected by one of the best cybersecurity tools available to new threats and new privacy violations."
Read this article:
Senate Bill Crafted With DEA Targets End-to-End Encryption ... - Slashdot
How to encrypt a file within seconds in Linux! – Medium
The art of Cryptography consists of two parts Encryption and Decryption. One is the exact reverse of the other and they are both powered by some serious math. The purpose of Cryptography is to hide the content of a message so that if someone, other than the receiver of the message, finds it, they wont be able to read it.
In this article I will show you the easiest way to encrypt a file in Linux in just a few seconds using the GNU Privacy Guard(gpg tool).
In most modern Linux distros the gpg tool is already pre-installed. To check if gpg is installed on your system, run:
If gpg is not installed on your system simply run:
Once installed on your system, you can start encrypting your files by running:
Then we provide an easy to remember passphrase and we are done. A new encrypted version of the file is created alongside the original one but with the .gpg extension.GPG offers many encoding algorithms, meaning that you can choose which one will be used to encrypt your data.To list the algorithms run:
You can select a specific algorithm by running instead:
In order to decrypt a file you simply run the following command and then provide the passphrase that was used to encrypt it.
Note:If you encrypt a file and then try to decrypt it you may not be promted with a passphrase request. Cache needs to be cleared first in order for a passphrase to be requested.
See original here:
How to encrypt a file within seconds in Linux! - Medium
Cigent Announces New Pre-Boot Authentication (PBA) Full Drive … – PR Web
Cigent
FORT MYERS, Fla. (PRWEB) July 18, 2023
Cigent Technology, Inc., the leader in embedded cybersecurity in storage devices, today unveiled Cigent Data Defense Pre-Boot Authentication, which Enables a TCG Opal 2.0 Self Encrypting Drive to be fully encrypted, preventing adversaries from being able to access the data if they get physical access to the PC or storage device. Cigent PBA Software has been FIPS Validated and posted on the NIAP Common Criteria Products in Evaluation site, the precursor to certification by NIAP and listing on the Product Compliant List and posting on CSfC Component List.
When installed on a Seagate Barracuda 515 or DIGISTOR C Series drive (both on the NIAP Product Compliant List), Cigent offers CSfC DAR Capabilities Package 5.0 compliant Full Drive Encryption protection with FDE_EE (encryption engine) and FDE_AA (authentication) NIAP Protection Profiles compliance. Cigent Data Defense PBA supports multiple forms of authentication including username and password, CAC/PIV/Yubikey, or both to be fully NIST MFA compliant and adhere to both MFA and Zero Trust requirements outlined in the US Executive Order 14028.
Furthermore, both the Seagate Barracuda 515 and DIGISTOR C Series Advanced Secure SSDs include Cigent's embedded cybersecurity protections in firmware. These protections include Complete Erasure Verification, Immutable Insider Threat data access logs, and a firmware-heartbeat that automatically locks and makes Cigent Secure Vaults invisible if the Cigent software service is disabled.
With Data Defense Pre-Boot Authentication, an authentication screen pops up when the computer is turned on. The user can then authenticate to decrypt the drive. Cigents PBA software uses RSA 4096-bit encryption keys for authentication and can be used in conjunction with Cigent Data Defense Secure Vault to create a post-boot hidden partition for storage of sensitive data that requires MFA for access and uses Cigent advanced key creation and storage for partition protection.
"By achieving FIPS validation and inclusion in the NIAP Common Criteria Products in Evaluation, Cigent Data Defense PBA demonstrates our commitment to meeting rigorous government security standards, said Tom Ricoy, CRO at Cigent. These validations help to ensure that the organizations with extremely sensitive data can utilize the advanced data security solutions from Cigent.
The PBA software also enables the administrator to securely wipe data from drives with Cigent True Erase. This includes a Crypto Erase that deletes the decryption key rendering the encrypted data inaccessible. For added assurances, a full drive erasure (using a Format NVM function to Full Flash Overwrite, zeroing every block on the drive, resetting the drive back to its factory state) completely overwrites the disk to remove all data. Cigents patented True Erase capability built into the firmware of Cigent Secure SSDs also verifies that every block has truly been wiped after erasure. Within seconds, True Erase performs all three of these functions enabling the drive to be safely repurposed or sent off for destruction.
To learn more about the Cigent Data Defense Pre-Boot Authentication Software please visit the Resource Library - Cigent Technology Inc.
About Cigent Cigent offers a new approach to data security to stop ransomware and data theft, as well as achieve compliance. Cigent protects your most valuable asset - your data - against the most sophisticated adversaries. We protect data throughout its lifecycle via prevention-based defenses embedded into storage and individual files. From decades of data recovery, cybersecurity, and device sanitization experience, the experts at Cigent have developed prevention methods beyond anything that exists today.
Share article on social media or email:
Link:
Cigent Announces New Pre-Boot Authentication (PBA) Full Drive ... - PR Web
Protecting Sensitive Information: A Comprehensive Guide to Email … – Fagen wasanni
Understanding the Importance of Cybersecurity: A Detailed Guide on Email Encryption Strategies for Businesses to Protect Sensitive Information
In the digital age, the importance of cybersecurity cannot be overstated. As businesses increasingly rely on electronic communication, the need to protect sensitive information has become paramount. One of the most effective ways to safeguard this data is through email encryption, a strategy that is becoming a standard practice for businesses worldwide.
Email encryption is a method of protecting information by converting it into an unreadable format, known as ciphertext, which can only be deciphered with a unique decryption key. This ensures that even if an unauthorized party intercepts the email, they will not be able to access the sensitive information it contains.
The need for such measures has been underscored by the rise in cybercrime. According to a report by Cybersecurity Ventures, cybercrime is predicted to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This staggering figure highlights the urgent need for businesses to implement robust cybersecurity measures, with email encryption being a critical component.
There are several types of email encryption strategies that businesses can employ. The first is Transport Layer Security (TLS), which encrypts the connection between the sender and the recipients mail servers. This prevents hackers from intercepting the email while it is in transit. However, if the recipients server does not support TLS, the email will be sent unencrypted.
Another strategy is end-to-end encryption, which ensures that the email is encrypted from the moment it leaves the senders device until it reaches the recipient. This method is more secure than TLS as it protects the email even if it is intercepted during transit or while stored on the mail servers.
Businesses can also use Secure/Multipurpose Internet Mail Extensions (S/MIME) or Pretty Good Privacy (PGP) encryption. S/MIME uses a centralized authority to issue certificates that verify the senders identity and encrypt the email. PGP, on the other hand, uses a decentralized model where users generate their own encryption keys.
While these strategies offer robust protection, they are not without challenges. For instance, end-to-end encryption can be complex to implement and may not be compatible with all email clients. S/MIME and PGP also require users to manage their encryption keys, which can be a daunting task for non-technical users.
Despite these challenges, the benefits of email encryption far outweigh the drawbacks. By protecting sensitive information, businesses can avoid costly data breaches, maintain customer trust, and comply with data protection regulations. Moreover, as cyber threats continue to evolve, implementing robust encryption strategies will be crucial in staying one step ahead of cybercriminals.
In conclusion, email encryption is a vital component of a comprehensive cybersecurity strategy. By understanding the different encryption strategies and their benefits and challenges, businesses can make informed decisions about how to best protect their sensitive information. As the digital landscape continues to evolve, so too must our strategies for safeguarding our data.
Read the original post:
Protecting Sensitive Information: A Comprehensive Guide to Email ... - Fagen wasanni
Leading the Way with Radical Transparency – CISA
Today, the Administration announced the U.S. Cyber Trust Mark, an Internet of Things (IoT) labeling initiative led by the Federal Communications Commission and the National Institute of Standards and Technology. The initiative will give consumers a way of understanding whether IoT products meet a cybersecurity baseline to improve overall safety. At CISA, we heartily applaud this effort and are excited to work with both our public and private sector partners to continue to embrace such transparency for a safer and more secure nation.
We talk a lot about a future where market forces drive stronger security, but to make this a reality, we need to be able to evaluate products based on their security. And we certainly havent made that easy for customers to date. As it stands, too often security claims are written by marketing teams and not based on actual evidence. For instance, marketing teams often claim military grade encryption when in reality, military grade encryption is no different from standard encryption, but how could a hospital system, a water treatment facility, or a school district know this?
In April, CISA, along with nine domestic and international partners, released a Secure by Design white paper, detailing our collective vision for a more secure future where technology manufacturers assume more of the burden of security. A key principle in that document that manufacturers must embrace radical transparency and accountability is particularly relevant to todays Cyber Trust Mark announcement, and one of the reasons we at CISA are so enthusiastic about it. This initiative will enable customers to understand more about the security of devices they are considering purchasing, and ultimately, gravitate to more secure products, just as nutrition labels help customers make healthier choices about the food they buy at the grocery store.
Radical transparency can take many formsfrom security labeling, to a software provider publishing statistics on adoption of multi-factor authentication, to a technology manufacturer writing a blog post on their efforts to eliminate an entire class of vulnerability from their codebasesbut all are important for a holistic understanding of our individual as well as our collective cybersecurity posture.
We are now working on the next iteration of our Secure by Design guidance, which will detail ways that technology manufacturers can demonstrate their adherence to Secure by Design principles, including radical transparency. If you happen to be attending DEFCON this summer, we will be hosting a workshop inviting the security community to provide feedback. You can also reach out to us at SecureByDesign@cisa.dhs.gov with your thoughts.
See the article here:
Leading the Way with Radical Transparency - CISA
API Security: 10 Issues and How To Secure – CrowdStrike
What is API security?
Many organizations allow customers to access their data through an application programming interface (API) so they can build customized solutions on top of it. But this access comes with risks, making API security a crucial element of a businesss success.
API security involves implementing measures to safeguard data confidentiality, integrity, and availability. These measures include setting up authentication and authorization mechanisms that permit only authorized users and applications to access the API, and implementing encryption and other security protocols to protect data in transit and at rest.
Additionally, API security encompasses monitoring and logging to detect and respond to security incidents, and conducting regular testing and vulnerability assessments to identify and address potential security weaknesses.
These security measures mitigate serious risks, as API breaches can have severe consequences for individuals and organizations alike. Attackers can exploit vulnerabilities in APIs to access sensitive data, such as personal information, financial details, and login credentials potentially resulting in identity theft, fraud, and other cybercrimes. Attackers can also carry out denial-of-service attacks, which prevent the use of the hacked API.
For companies that rely on APIs to connect with third-party services, a violation can lead to reputational damage, financial losses, legal action, fines, and regulatory sanctions. Thats why prioritizing API protection and regularly monitoring for potential violations protects both an organization and its users.
Download this new report to learn about the most prevalent cloud security threats from 2023 to better protect from them in 2024.
The terms API security and application security are often confused, but they are two different concepts. APIs have a bigger attack surface than web applications because APIs are designed to accommodate a wide range of clients. At the same time, wide-ranging accessibility makes APIs more vulnerable to security threats. The authentication schemes APIs use also differ from those used by web applications. For example, APIs use token-based authentication, whereas applications commonly use two-factor schemes that send users a code on their smartphone that they manually enter into the application alongside their password.
If we look at the OWASP top 10 security risks for APIs, we also see they differ from that of web applications. The list of the top 10 security risks for web applications includes things like UI design flaws and using vulnerable UI components, while the list of API risks centers on authorization issues on the systems object or function level.
There is a range of standards to consider when building an API that can keep it secure. These standards are mostly related to encryption, authentication, and authorization. Some of them, like Transport Layer Security (TLS), are so tightly integrated into basic internet protocols that youre using them right now while reading this article.
Lets check out the five most important standards.
TLS encryption is a protocol that secures client and server connections over the internet. It encrypts data in flight to prevent intermediaries from reading the transferred data. This encryption technology is widely used in e-commerce, online banking, and other web-based applications to protect sensitive information.
A popular authorization protocol, OAuth (open authorization) allows an organization to grant third-party applications access to its APIs on a website without sharing its credentials. Instead of giving the application a password, OAuth generates a token that authorizes access to an account for a specific time period.
Security Assertion Markup Language (SAML) is an XML-based standard for authentication and authorization data exchanges. Commonly used in internal or business-to-business applications, SAML helps build single sign-on (SSO) solutions that eliminate the need for a user to remember multiple login credentials.
JSON Web Token (JWT) is a token format that is optimized to be represented in URLs, transferred via HTTP, and read with JavaScript inside a browser. The tokens represent access claims for services and are used for authentication and authorization. They contain detailed information such as user ID and expiration time, and standards like OAuth use tokens in the JWT format as their access tokens.
Representational state transfer (REST) is one of the most common architectural styles on the internet. The OWASP REST Security Cheat Sheet provides guidelines for securing REST APIs against common threats, such as injection attacks, broken authentication, and sensitive data exposure. One recommended approach is to use JWT, a secure and streamlined method for transmitting data and managing user authentication.
Learn the top 12 cloud security risks, threats, and challenges you should keep an eye on to keep your cloud computing environment safe. Cloud Security Issues
The most common security risks for APIs relate to authorization issues, but other factors can also present pressing security concerns. Lets look at 10 of the most prevalent API security issues (according to OWASP) and explore how to prevent them.
This risk occurs when an API does not correctly enforce object-level authorization, allowing attackers to access or modify data they should not have access to. To prevent this issue, use a centralized access control mechanism to manage object-level authorization. This mechanism should be able to enforce access control policies at the object level and handle complex relationships between objects.
This risk occurs when an API does not properly authenticate users, allowing attackers to impersonate legitimate users and access sensitive data. To mitigate the risks that broken user authentication presents, implement multi-factor authentication and use secure password storage mechanisms. Multi-factor authentication adds an extra layer of security by requiring the possession of multiple devices to log in. Secure password storage mechanisms, such as hashing and salting, make it more difficult for attackers to crack passwords.
In systems that use large objects, a typical risk is that one object exposes more data than necessary. Even when the system uses object-level authorization, an object may still have properties that include sensitive data. The solution is to use encryption to protect sensitive data and limit the amount of data exposed. Encryption can help protect data in transit and at rest. Filtering object properties before sending them to a client can help reduce the impact of a data breach.
When an API does not properly allocate resources or enforce rate limits, attackers can launch denial-of-service attacks. To prevent these attacks, implement rate limiting and resource allocation mechanisms. Rate limiting can keep attackers from overwhelming the API with requests, and resource allocation mechanisms help ensure that resources are allocated fairly and efficiently.
This risk occurs when an API doesnt require authorization for each of its endpoints. This can allow attackers to call endpoints that should only be used by an administrator. Using a centralized access control mechanism to manage function-level authorization can help mitigate this risk. The access control mechanism should be able to enforce access control policies at the function level and should be capable of handling complex relationships between functions.
When an API accepts a URL from a client to fetch data from a third-party service and doesnt validate the URL, it allows an attacker to submit malicious URLs that can expose internal services or scan the API for open ports. Employing URL allowlists or filtering internal hostnames and IPs can help prevent this problem.
Following safe coding practices and regularly updating software and security configurations are key steps to configuring APIs securely so attackers cant exploit vulnerabilities. Using secure defaults, disabling unnecessary features, and regularly updating software and security configurations are just a few best practices for hardened security configuration.
Automation can allow attackers to exploit regular business flows for financial gain by referring bots to a paid referral program or buying a limited product excessively to resell it later. Though some of these activities may not be illegal, they can still lead to reputation loss or financial losses for the organization. To keep this risk at bay, ensure that purchasing flows include reasonable limitations per person and referral programs are paid out only when a proof of personhood has been supplied. Device fingerprinting and blocking of suspicious IPs like Tor exit nodes are also recommended measures.
When an API does not properly manage assets such as keys and certificates, unauthorized users can gain access to sensitive information. This is another reason its critical to employ secure coding practices and regularly update software and security configurations. Asset management can also include using secure defaults and disabling unnecessary features.
APIs often use APIs from third parties to get their work done. In many cases, these third-party APIs are treated as inherently secure. But these APIs can still become an attack vector into a system, allowing malicious users to indirectly send problematic inputs, such as SQL injections or forged URLs. Sanitizing inputs is vital not just inputs from clients but from all systems that can enter data into your API. Employing allowlists for hostnames and restricting redirects can help ensure the safety of third-party APIs.
Managing API security can seem complex, but it doesnt have to be. The CrowdStrike Falcon platform assesses your API security posture across multiple hosts, keeping an eye on your service configurations and helping to test for potential threats. With CrowdStrike Threat Graph, cloud-scale AI analyzes API events in real time.
Try the Falcon platform today to enrich your endpoint and workload telemetry with actionable security insights. Start your free trial of the Falcon platform now.
Read the original here:
API Security: 10 Issues and How To Secure - CrowdStrike
Quantum Cryptography and Encryption Market to Garner Brimming … – Chatfield News-Record
The Quantum Cryptography and Encryption Market report aims to provide insight into the industry through detailed market segmentation. The report offers detailed information on the overview and scope of the market along with its drivers, restraints, and trends. This report is designed to include qualitative and quantitative aspects of the industry in each region and country participating in the study.
The report presents a thorough overview of the competitive landscape of the global Quantum Cryptography and Encryption Market and the detailed business profiles of the markets notable players. Threats and weaknesses of leading companies are measured by the analysts in the report by using industry-standard tools such as Porters five force analysis and SWOT analysis. The Quantum Cryptography and Encryption Market report covers all key parameters such as product innovation, market strategy for leading companies, Quantum Cryptography and Encryption market share, revenue generation, the latest research and development and market expert perspectives.
Request To Download Sample of This Strategic Report@ https://globalmarketvision.com/sample_request/213457
Key Players Mentioned in the Global Quantum Cryptography and Encryption Market Research Report:
ID Quantique, Qrypt, Single Quantum, Post-Quantum, Crypto Quantique, CryptoNext Security, Quantum Resistant Ledger, InfiniQuant, Agnostiq, ISARA Corporation, KETS Quantum Security, MagiQ Technologies, PQShield, Qabacus, Qaisec, Qasky Quantum Technology
Global Quantum Cryptography and Encryption Market Segmentation:
Market Segmentation: By Type
Code-BasedLattice-BasedOthers
Market Segmentation: By Application
FinancialGovernmentMilitary & DefenseOthers
The report provides a good overview of the key macroeconomic factors that have a significant impact on the growth of the Quantum Cryptography and Encryption market. It also provides absolute dollar opportunity analysis, which is essential for identifying revenue-generating and increasing sales opportunities in the Quantum Cryptography and Encryption market. Market players can utilize the qualitative and quantitative analysis provided in the report to fully understand the Quantum Cryptography and Encryption market and make great strides in the industry in terms of growth. The overall size of the Quantum Cryptography and Encryption market and the overall size of each segment studied in the report are precisely calculated based on various factors.
The base of geography, the world market of Quantum Cryptography and Encryption has segmented as follows:
COVID-19 Impact
Report covers Impact of Coronavirus COVID-19: Since the COVID-19 virus outbreak in December 2019, the disease has spread to almost every country around the globe with the World Health Organization declaring it a public health emergency. The global impacts of the coronavirus disease 2019 (COVID-19) are already starting to be felt, and will significantly affect the Quantum Cryptography and Encryption Market in 2023.
The outbreak of COVID-19 has brought effects on many aspects, like flight cancellations; travel bans and quarantines; restaurants closed; all indoor/outdoor events restricted; over forty countries state of emergency declared; massive slowing of the supply chain; stock market volatility; falling business confidence, growing panic among the population, and uncertainty about future.
The objective of the studies:
To provide a detailed analysis of the market structure along with a forecast of the various segments and sub-segments of the global Quantum Cryptography and Encryption Market.
-Provide information on factors affecting the growth of the market. To analyze the Quantum Cryptography and Encryption Market based on various factors- price analysis, supply chain analysis, Gate Five force analysis, etc.
-Provide historical and forecast revenue of market segments and sub-segments for four major geographies and their countries North America, Europe, Asia, Latin America and Rest of the World.
-Provide country level market analysis relative to current market size and future prospects.
To provide country level market analysis for the segment by application, product type and sub-segments.
-Provide a strategic profile of the major market players, by deeply analyzing their core competencies and drawing a competitive landscape for the market.
Track and analyze competitive developments such as joint ventures, strategic alliances, mergers and acquisitions, new product developments, and research and developments in the global Quantum Cryptography and Encryption Market.
Table of Contents:
1 Study Coverage
2 Market by Type
3 Market by Application
4 Global Quantum Cryptography and Encryption Competitor Landscape by Company
5 Global Quantum Cryptography and Encryption Market Size by Region
6 Segment in Region Level & Country Level
7 Company Profiles
8 Industry Chain and Sales Channels Analysis
9 Research Findings and Conclusion
Conclusion: At the end of Quantum Cryptography and Encryption Market report, all the findings and estimation are given. It also includes major drivers, and opportunities along with regional analysis. Segment analysis is also providing in terms of type and application both.
Request Full Report @ https://globalmarketvision.com/checkout/?currency=USD&type=single_user_license&report_id=213457
If you have any special requirements, please let us know and we will offer you the report at a customized price.
Relevant points Highlighted:
About Global Market Vision
Global Market Vision consists of an ambitious team of young, experienced people who focus on the details and provide the information as per customers needs. Information is vital in the business world, and we specialize in disseminating it. Our experts not only have in-depth expertise, but can also create a comprehensive report to help you develop your own business.
With our reports, you can make important tactical business decisions with the certainty that they are based on accurate and well-founded information. Our experts can dispel any concerns or doubts about our accuracy and help you differentiate between reliable and less reliable reports, reducing the risk of making decisions. We can make your decision-making process more precise and increase the probability of success of your goals.
Contact Us
Sarah Ivans | Business Development
Phone: +1 617 297 8902
Phone: +44 151 528 9267
Email: sales@globalmarketvision.com
Global Market Vision
Website: http://www.globalmarketvision.com
Here is the original post:
Quantum Cryptography and Encryption Market to Garner Brimming ... - Chatfield News-Record