"The UK's Online Safety Bill isn't about safety or privacy, it's both."

These were the words Stephen Almond, Director of Technology and Innovation at the Information Commissioner's Office (ICO), used to describe the controversial proposed legislation during a talk at the annual IAPP's conference in London on March 9th.

"What happens when private messages are being asked to be monitored?" was the question raised immediately after by Monica Horten, Policy Manager at UK-based digital campaigning organization Open Rights Group. She continued by pointing out how breaking into encryption would practically mean "compromising people's privacy."

Tension between public safety and user privacy has been dominating the debate around the new legislation trying to make the internet a safer place, especially for children.

Signal has threatened to quit UK if the Bill becomes law in its current form, while WhatsApp said it would rather face a ban than weaken its security.

Even worse, the UK isn't the only country where end-to-end encryption is under attack.

The European Union is trying to regulate something similar with the so-called Chat Control law, which requires encrypted messaging apps to allow authorities to scan private chats for material related to child abuse or terrorism.

We talked to some of the companies behind some of the most popular encrypted software, like VPN services and secure email providers, to understand what's at stake for the security of their users online. Here's what they said.

By definition, encryption is the process of scrambling data into an unreadable form in order to protect it from unauthorized access. This means that no one, even the provider itself, can see what users send to each other.

It then sounds like an oxymoron the proposal of "scanning private encrypted messages," de-facto annulling what this technology aims to do in the first place.

The reality is that governments have long been seeing encryption as an obstacle to law enforcement investigations.

The idea of a "responsible encryption (opens in new tab)" is something that was coined by US deputy attorney general Rod Rosenstein in 2017. What this means is that using encrypted private chats is OK, but authorities should be able to access those to fight back crime and terrorism - for everyone's sake, of course.

Now, the threats against encryption seem to be as real as never before.

According to the providers behind encrypted services, undermining such a technology isn't going to make the internet safer. Quite the opposite, actually.

"If you don't have encryption, you cannot have privacy when you speak to someone using a device," said Jan Jonsson, CEO at Mullvad, one of the most secure VPN providers on the market. "It's an essential part."

Short for Virtual Private Network, VPNs are based on encryption to secure people's connections and all their data leaving a device. And, even though such a software isn't yet the target of these regulations, Jonsson thinks they could potentially become in the future.

All the providers we talked to also believe that undermining encryption will consequently compromise the values upon which worldwide democracies are based on.

This could ultimately make the lives of citizens more unsafe, building up the base for a blanket mass surveillance society.

"It's overwhelming how politicians in the in the 21st century still think that we need to have the Crypto Wars, still need to break encryption and still haven't understood how important the right to privacy is for a democracy," the founder of encrypted email provider Tutanota, Matthias Pfau, told TechRadar.

Jonsson from Mullvad also argued that a lack of privacy could end up halting the process of development in a democratic country - as much offline as it is online.

"If you have the right to privacy in your home, you should also have the possibility to have a private room on the Internet," he said. "It doesn't make any sense to have two different views and laws between online and offline. It isn't going to work.

"There are only two reasons to promote such laws. Either politicians don't know what they are doing, or that's just an excuse to monitor the whole population."

Another point critics have been stressing is the degree of effectiveness of such a system in practical terms.Providers repeatedly pointed out the concrete possibility for criminals to find ways around this.

"It's like trying to put a genie back in its bottle," Matthew Hodgson, CEO and CTO at UK-based secure communications company Element, told TechRadar. "You cannot try to legislate encryption and, if you do, it will just make life miserable and unsafe for your citizens. Meanwhile, everybody else will just ignore it and keep using encryption anyway via an illegal app."

Put it simply, bad actors will always find a way to break the rules.

Those engaging in illegal activities online will find a way to keep doing so, and commentators are also warning of the danger of creating a backdoor into encrypted communication.

On this point, Pfau from Tutanota said: "We have to keep in mind that aggressors are becoming more and more competent, especially given the threats from Russia and China. If we break the encryption in countries like the UK, then we will open the doors for these aggressors and there will be no means to defend our digital life."

That's something Hodgson is particularly worried about, too.

Element is a company providing decentralized encrypted communication systems to organizations seeking to run their own alternatives to Signal, Slack or other mainstream services. Due to its highly customizable and secure software, it's especially popular among governmental bodies including the Ministry of Defense in Ukraine.

"You've basically done the work for the enemy. They can just break into the moderation system, or they can pay off one of the moderators, and suddenly they have access to all of this incredibly sensitive information that otherwise they would never have been able to get," he said.

"This is the key example of why undermining the encryption in order to chase the bad guys actually gives the bad guys a really good route for going attacking the good guys."

Even worse than individual exploiting backdoor into encryption for their own gain, authoritarian countries around the world could draw inspiration from the UK and the EU for developing a similar system.

And, even if we want to believe the benevolent intentions of Western democracies, who's going to vouch for Iranian, Russian or Chinese authorities on the matter?

"It's an incredibly destructive, dangerous piece of technology," said Hodgson. "Not only does it search for child abuse and terrorism, but perhaps it couldalso look for ethnic traits. And, before you know it, you've created a system for racial profiling or worse.

"So, even if the UK's intentions are benign, the precedent it sets and the technology it uses will absolutely be used for controlling populations and enabling human rights abuses of the worst possible kind."

Being that the risk of compromising encryption seems to overcome the benefits, experts believe that other solutions might be more doable instead - especially around child abuse.

Either politicians don't know what they are doing, or that's just an excuse to monitor the whole population.

For instance, Jonsson from Mullvad believe that investing in more police officers and teachers trained to cope with these incidents would create a better environment for both persecuting perpetrators and supporting victims.

Also, being that in the UK the numbers of child abuse perpetrators have increased dramatically (opens in new tab), Hodgson from Element believes that the problem should be address at its roots, instead of finding additional ways to investigate.

"The solution is not to go and put a CCTV camera in everyone's bedroom in case they do something illegal," he said. "I would argue that you can still do a lot of infiltration and frankly education, because it's clearly a social problem. What you don't do is blanket surveillance."

While were waiting to see how the Online Safety Bill saga will end up, providers are getting ready to face the worse.

Signal said it would leave the UK if it was required to undermine encryption. Other services like WhatsApp and Tutanota are opting for a different route instead: waiting for the government to block their service for not obeying with the new law.

"By not complying, we want to force the UK government to actively block access to the service if they want to go through with it," said Pfau, arguing that many services are likely to take a similar stance.

"In the end, the UK will need to put up a firewall, just like China, to make sure that their citizens can't have secure communication."

Outside the Great Britain, Mullvad is investing money and energy to raise awareness around the risks of the EU Chat Control.

The VPN provider sent over 300 emails to politicians and journalists. Last week, it put up banners in Stockholm airport so that politicians could see it right after they landed before voting on the regulation. Other posters have been spreading around the streets of both Stockholm and Guttenberg, too.

"Mullvad is usually a very silent company. This is probably the first time we really got mad enough to speak out," said Jonsson. He doesn't exclude extending the campaign to other European countries as well if needed.

A more positive take comes from Andy Yen, Proton's founder and CEO behind both the encrypted ProtonMail and Proton VPN, who claimed to be confident that following further debates "these proposals will probably become moderated."

"If you look at the latest version of the Online Safety Bill, it's already significantly improved from the first version. This is why I think that more effort on the public policy side can yield results. That's something we watch carefully," he said.

"We're not going to compromise encryption, and being based in Switzerland gives us a little bit of extra protection to continue defending encryption, even in the face of such threats."

Read this article:
Encryption is under attack, and the Online Safety Bill isn't the only culprit - TechRadar

According to Gartner, 75% of the global population will have its personal data covered under privacy regulations by the end of 2024. And in their latest information security and risk management study, Gartner identifies Zero Trust Network Access (ZTNA) as the fastest-growing segment in network security, forecast to grow 31% in 2023 and propelled by the rise in remote workers. Hybrid work is a fact of life and expected to be served predominantly by ZTNA versus VPN services.

Compliance and ZTNA are driving encryption into every aspect of an organizations network and enterprise and, in turn, forcing us to change how we think about protecting our environments.

Unintended consequences

ZTNA is great for security in one aspect, providing greater control over movement and access as the Atomized Network continues to grow and applications and people are everywhere. Instead of authenticating once and then getting relatively open access to resources and devices on a network, zero trust is about authenticating and receiving a set of permissions and authorization for explicit access. However, ZTNAs use of encryption to secure all connections, regardless of where they reside in the infrastructure, is creating massive issues in another aspect of security. As Ive discussed before, encryption is blinding many of the network visibility and security tools we have traditionally used for enterprise protection.

Organizations that decide to use secure access service edge (SASE) platforms to manage ZTNA, also sacrifice a degree of visibility for the sake of authentication and encryption. With SASE, authentication and authorization is managed when users connect to their providers dedicated cloud. From a user perspective the experience is fairly seamless, but security teams tell us they dont have what they need to do their jobs. Typically, they are only able to view authentication logs and access logs, so they cant see what is happening in real-time across that cloud environment.

Even when an organization doesnt go the zero trust route because it may be overkill for their environment, they still implement encryption for data privacy and protection reasons. The highest level of encryption is used not just for internet-facing hosts, but also internally to secure data at rest and in transport.

The risk paradox

As encryption becomes pervasive, organizations are adding complexity for security teams to do things like troubleshooting and threat hunting. The combined impact of encryption and the atomization of networks is deprecating a lot of the legacy tools that use deep packet inspection (DPI) and packet capture technologies, making them significantly more expensive and complex to deploy and manage.

The traditional thought process is that in order to detect and respond we have to see everything, which means we have to decrypt everything. Sure, decryption is possible, but it doesnt scale anymore. In a dispersed and ephemeral environment with no defined perimeter, putting an appliance in the middle to do decryption is getting harder and harder to do. We have more traffic to decrypt, more certificates to manage, and any point at which we break encryption for detection and response is another point at which we are potentially exposing sensitive data. In an effort to keep our networks secure, we are elevating our risk profile.

Network security without breaking decryption

The time has come to reimagine our approach to network security so we can see what is going on and detect and respond to threats without introducing additional risk.

Join us as we decipher the confusing world of zero trust and share war stories on securing an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.April 12, 2023 Register

A lot of machines have endpoint detection response (EDR) agents installed on them that provide visibility into hosts on the network and local processes. However, not every networked device in an environment is capable of supporting an agent, and EDR doesnt provide visibility into network traffic in real-time. Thats where metadata in the form of flow data comes in. Theres no need to capture and inspect every packet to view and monitor network traffic for detection and response. Metadata is widely available across your multi-cloud, on-premises, and hybrid environment and when enriched with context provides high-level real-time visibility into traffic across the Atomized Network.

Collectively, EDR and metadata provide a good picture of whats on the network, what its doing, and whats happening to it and can detect most attacks without breaking encryption. In cases where we see anomalous behavior that requires a deeper dive, we can narrow the scope of what we are looking at and narrow decryption. By changing procedures to only decrypt when necessary, we can reduce our risk profile accordingly while minimizing cost and complexity.

It turns out encryption and zero trust arent breaking key protections. Instead, they are forcing an inevitable change for the better. Organizations can move away from 100% decryption, which doesnt scale anymore and introduces risk, enjoy the benefits of ZTNA and encryption, and still get comprehensive visibility and the coverage needed to protect their Atomized Network.

Related: Cyber Insights 2023 | Zero Trust and Identity and Access Management

View post:
Are Encryption and Zero Trust Breaking Key Protections? - SecurityWeek

Minneapolis Public Schools acknowledged Friday that some personal data was leaked to the dark web as a result of a cyberattack the district experienced in late February.

In an update on the Minneapolis Public Schools website, the district said officials are "working with cybersecurity specialists to quickly and securely download the data" to determine the "full scope of what personal information was impacted" and to whom it belongs. The dark web is an area of the internet that is not indexed and often is associated with criminal activity.

This review will take time, officials said, and the district will directly contact anyone whose data has been shared.

"You will receive both an email and a mailed letter to ensure communication is completed," the district said. "We are offering all potentially affected individuals free credit monitoring and identity protection services through Experian."

District officials declined to comment further Friday.

Cyberattacks are a growing threat to school districts, which have seen their insurance premiums rise in recent years. Experts note schools often have thousands of devices used by students and staff who could click on anything. That, combined with budget crunches that lead to slim IT departments, can make them more vulnerable.

The Minneapolis district has not said exactly how its breach occurred.

It revealed its troubles in a Feb. 21 statement noting that technical difficulties had temporarily disabled some district computer systems. But students were not in school buildings Feb. 22-24 because of a snowstorm, and the district said e-learning wouldn't be affected.

On Feb. 24, the district started referring to the technology trouble as an "encryption event," encouraging people to change their passwords on district devices as a "best practice and out of an abundance of caution." Officials said they had no evidence that personal information had been compromised.

On March 7, the district told families that a "threat actor" had claimed responsibility for the encryption event and had posted some Minneapolis Public Schools data online.

A ransomware group called Medusa claimed responsibility for the cyberattack, posted a video online and demanded a $1 million ransom.

That video, which since has been removed, showed screenshots of a variety of information, including spreadsheets that appeared to list student names and addresses, disciplinary information and forms that could contain sensitive employee information, such as W-2s. Other images appear to show lesson plans, enrollment projections and district forms and policy documents.

The district has said it reported incidents related to the cyberattack to law enforcement and families were told to be cautious about scams.

Families can take several steps to monitor and protect their information, in addition to changing passwords, such as using multifactor authentication on accounts when possible, monitoring credit reports and freezing credit files. More information about preventing identity theft is available at usa.gov/identity-theft.

Staff writer Mara Klecker contributed to this report.

Continued here:
Minneapolis schools report that data was posted on dark web after ... - Star Tribune

JSON web tokens (JWTs) are great they are easy to work with and stateless, requiring less communication with a centralized authentication server. JWTs are handy when you need to securely pass information between services. As such, theyre often used as ID tokens or access tokens.

This is generally considered a secure practice as the tokens are usually signed and encrypted. However, when incorrectly configured or misused, JWTs can lead to broken object-level authorization or broken function-level authorization vulnerabilities. These vulnerabilities can expose a state where users can access other data or endpoints beyond their privileges. Therefore, its vital to follow best practices for using JWTs.

Knowing and understanding the fundamentals of JWTs is essential when determining a behavior strategy.

JWT is a standard defined in RFC 7519, and its primary purpose is to pass a JSON message between two parties in a compact, URL-safe and tamper-proof way. The token looks like a long string divided into sections and separated by dots. Its structure depends on whether the token is signed (JWS) or encrypted (JWE).

JWS Structure

JWE Structure

The short answer is that it depends. The security of JWTs is not a given. As mentioned above, JWTs are often considered secure because they are signed or encrypted, but their security really depends on how they are used. A JWT is a message format in which structure and security measures are defined by the RFC, but it is up to you to ensure their use does not harm the safety of your whole system in any way.

Should they be used as access and ID tokens?

JWTs are commonly used as access tokens and ID tokens in OAuth and OpenID Connect flows. They can also serve different purposes, such as transmitting information, requesting objects in OpenID Connect, authenticating applications, authorizing operations and other generic use cases.

Some say that using JWTs as access tokens is an unwise decision. However, in my opinion, there is nothing wrong if developers choose this strategy based on well-done research with a clear understanding of what JWTs essentially are. The worst-case scenario, on the other hand, is to start using JWTs just because they are trendy. There is no such thing as too many details when it comes to security, so following the best practices and understanding the peculiarities of JWTs is essential.

JWTs are by-value tokens containing data intended for the API developers so that APIs can decode and validate the token. However, if JWTs are issued to be used as access tokens to your clients, there is a risk that client developers will also access this data. You should be aware that this may lead to accidental data leaks since some claims from the token should not be made public. There is also a risk of breaking third-party integrations that rely on the contents of your tokens.

Therefore, it is recommended to:

Should they be used to handle sessions?

An example of improper use of JWTs is choosing them as a session-retention mechanism and replacing session cookies and centralized sessions with JWTs. One of the reasons you should avoid this tactic is that JWTs cannot be invalidated, meaning you wont be able to revoke old or malicious sessions. Size issues pose another problem, as JWTs can take up a lot of space. Thus, storing them in cookies can quickly exceed size limits. Solving this problem might involve storing them elsewhere, like in local storage, but that will leave you vulnerable to cross-site scripting attacks.

JWTs were never intended to handle sessions, so I recommend avoiding this practice.

JWTs use claims to deliver information. Properly using those claims is essential for security and functionality. Here are some basics on how to deal with them.

It is important to remember that incoming JWTs should always be validated. It doesnt matter if you only work on an internal network (with the authorization server, the client and the resource server not connected through the internet). Environment settings can be changed, and if services become public, your system can quickly become vulnerable. Implementing token validation can also protect your system if a malicious actor is working from the inside.

When validating JWTs, always make sure they are used as intended:

The registry for JSON Web Signatures and Encryption Algorithms lists all available algorithms that can be used to sign or encrypt JWTs. It is also very useful to help you choose which algorithms should be implemented by clients and servers.

Currently, the most recommended algorithms for signing are EdDSA or ES256. They are preferred over the most popular one, RS256, as they are much faster than the well-tried RS256.

No matter the token type JWS or JWE they contain an alg claim in the header. This claim indicates which algorithm has been used for signing or encryption. This claim should always be checked with a safelist of algorithms accepted by your system. Allowlisting helps to mitigate attacks that attempt to tamper with tokens (these attacks may try to force the system to use different, less secure algorithms to verify the signature or decrypt the token). It is also more efficient than denylisting, as it prevents issues with case sensitivity.

One thing to remember about JWS signatures is that they are used to sign both the payload and the token header. Therefore, if you make changes to either the header or the payload, whether merely adding or removing spaces or line breaks, your signature will no longer validate.

My recommendations when signing JWTs are the following:

Symmetric keys are not recommended for use in signing JWTs. Using symmetric signing presupposes that all parties need to know the shared secret. As the number of involved parties grows, it becomes more difficult to guard the safety of the secret and replace it if it is compromised.

Another problem with symmetric signing is that you dont know who actually signed the token. When using asymmetric keys, youre sure that the JWT was signed by whoever possesses the private key. In the case of symmetric signing, any party with access to the secret can also issue signed tokens. Always choose asymmetric signing. This way, youll know who actually signed the JWT and make security management easier.

API security has become one of the main focuses of cybersecurity efforts. Unfortunately, vulnerabilities have increased as APIs have become critical for overall functionality. One of the ways to mitigate the risks is to ensure that JWTs are used correctly. JWTs should be populated with scopes and claims that correspond well to the client, user, authentication method used and other factors.

JWTs are a great technology that can save developers time and effort and ensure the security of APIs and systems. To fully reap their benefits, however, you must ensure that choosing JWTs fits your particular needs and use case. Moreover, it is essential to make sure they are used correctly. To do this, follow the best practices from security experts.

Here are some additional guidelines:

Read more from the original source:
JWTs: Connecting the Dots: Why, When and How - The New Stack