Category Archives: Encryption
Hardening data security in the cloud – The Register
Sponsored Feature As enterprises continue to migrate applications into the cloud, security concerns about the data those workloads store and process are inevitable. But how can IT departments be certain that sensitive information covered by stringent data protection laws hosted in public, private and hybrid cloud environments spanning multiple servers and locations is adequately protected from both internal and external threats?
One potential answer is Confidential Computing, which isolates data within a encrypted portion of a server's memory to make sure it cannot be accessed or tampered with. Predictions from the Everest Group published last year indicate that demand for confidential computing solutions will grow at a compound annual growth rate (CAGR) of 90-95 percent over the next five years to be worth US$54bn by 2026.
That momentum is partly down to the Confidential Computing Consortium, a community of suppliers at the Linux Foundation focussed on projects securing data in use and accelerating the adoption of confidential computing through open collaboration.
Intel is a key memory of the Consortium, and provides its own approach to Confidential Computing through the IntelSoftware Guard Extensions embedded within its latest generation Intel Xeon server chips. These establish isolated enclaves, or a Trusted Executive Environment (TEE), within the memory. Inside an enclave, designated application code and sensitive data are protected and out of view of both internal and external threats. That includes preventing access from other applications running on the system that might be corrupted by malware particularly useful in maintaining data integrity and security in multi-tenanted cloud environments that could be susceptible to insider threats as well as external cyber attacks.
"By isolating data within a CPU during processing, those CPU resources are only accessible to authorized programming code they are isolated from everything and anyone else", explains Paul O'Neill, Intel director of strategic business development and confidential computing.
"As a result the data is not readable by human admins as well as the cloud providers' hypervisors, other tenants or the operating system. So you no longer have to trust the cloud provider's security even if they were corrupted and intentionally malicious."
Sensitive code and data outside the enclave is encrypted, and only decrypted once inside the enclave. Results or data created by the application running within the TEE is encrypted again when it leaves the enclave to make sure it remains confidential at all times.
Intel SGX offers an additional layer of beyond data and application isolation inside the TEE. The remote attestation function verifies that a cloud user's SGX-enabled application can be trusted. Attestation provides cryptographic assurance that the enclave is running on a genuine Intel SGX-enabled platform, the processor's microcode security patches are up-to-date, and the application software is exactly what the user authorized. With this assurance, confidential data can be released into the enclave. Pre-examining the security status of a remote server is a necessary precaution that every device and application and process should take when seeking to connect, and the Intel SGX remote attestation feature provides a hardware protected method for this important step.
Financial services to the fore
Any guarantee of trust and data integrity is an attractive option for public and private sector organisations which routinely share and process sensitive, personally identifiable information (PII) tightly regulated by national and regional data protection regulations including those in financial services, healthcare and retail.
"The early adopters of Confidential Computing, and Intel SGX , are financial services and healthcare organizations ready for complex computing. The reason for that is twofold," says O'Neill.
"One is that they are dealing with the most sensitive datasets, and the second is that they need to harness the economics of the cloud".
Confidential Computing is starting to allow banks, insurance companies and other financial institutions to take sensitive datasets into the cloud, once an unthinkable prospect for such sensitive data. Once there, they can safely harness the scale of the cloud's massive compute resources and apply artificial intelligence and machine learning (AI/ML) analytics to workloads like Anti Money Laundering (AML), credit qualification, market rate calculations, credit scores, loan fulfilments and Know Your Customer (KYC) all workloads which they have previously struggled to migrate due to the privacy regulation and security concerns involved.
A global reinsurance provider uses data analytics to pull more meaningful insight from the large volumes of data it collects to build more accurate risk profiles for its global customer base. It recently built a Trusted Execution Environment based on Intel SGX to protect the data being processed by the machine learning algorithms that form the basis of its calculation models.
Collecting constantly updated information from other companies in its supply chain - in this case shipping firms, logistics suppliers and port authorities makes it hard for the firm to share and access data securely. But encrypting it in hardware-based memory provided the assurance it needed to process new, more sensitive data sets.
A UK bank also used Intel SGX to improve its KYC processes. KYC is used to verify the identity of banking customers, typically performed via credit agencies which broker PII to limit the risk of fraud and comply with AML and Counter Terrorism Financing rules and regulations. But this can be an expensive, time consuming and ineffective approach overly reliant on manual processes.
The bank digitised its KYC with Intel SGX, applying ML to sensitive data protected in the Confidential Computing enclave to help it detect and reduce AML fraud. The project also allowed it to build more accurate customer profiles that could help it pursue new streams of revenue through targeted promotions.
Perhaps more importantly, the pilot showed how Intel SGX has the potentially to fundamentally alter the way that financial services companies access shared information without negatively impacting the customer experience and simultaneously meeting compliance obligations.
The economics of cloud ML
Most financial services organizations are moving increasing larger volumes of data, applications and services into the cloud as they seek to streamline their Open Banking operations and compete with more nimble Fintech start-ups. Getting access to the vast amounts of powerful compute resources available off-prem can help significantly scale up their data analytics activity.
A case in point is homomorphic encryption, long used to enable complex financial transactions to be performed using encrypted data, meaning operations could be shifted off prem into the cloud. The trouble is, explains O'Neill, is that it struggles to scale on existing architectures which makes for an expensive IT overhead that Confidential Computing and Intel SGX can help to bring down.
"At the end of the day it comes down to economics, because scalability is super important, Confidential Computing and Intel SGX offers scalable data protection across a wide range of use cases" he points out.
Without scalability, banks can struggle to process enough secure data quickly to give them the insight that underpins the use cases they require. This was initially a problem for the UK bank. The smaller enclave size on previous generations of Intel Xeon E3 CPUs limited the volume of encrypted data which could be stored and processed in protected memory. But the latest 3rd Generation Intel Xeon Scalable components offer much greater scalability, which offers the potential to open up some exciting new financial services use cases.
The other advantage of performing secure ML operations in the cloud stems from the shift to an opex rather than capex investment. That brings secure, cloud-based data analytics and processing within reach of smaller organizations that would otherwise struggle to find the budget to build out their own compute infrastructure.
Cloud computing is already a mainstay in the enterprise, with adoption of public and hybrid clouds continuing to increase. Confidential Computing today leans toward the public cloud, but the volume and diversity of cloud platforms and services available public, hybrid and private for example mean that solutions like Intel SGX must be adaptable to suite different architectures and processes to meet customer preferences in a broader range of industries and use cases.
Supporting data sovereignty
Other interesting AI/ML workloads which can benefit from Confidential Computing include the training of sensitive video footage collected from cars to enable autonomous driving algorithms.
"Think of a camera on a car driving around, and it's capturing people's faces, registration plates, addresses on doors etc. Because autonomous driving is safety critical, obfuscating that data is not the best idea," says O'Neill.
"So encrypting that data and taking it into the cloud, and AI training on encrypted data is a massive step forward and that is where SGX can play a key role."
In that example the organization doesn't need the permission of the individual to use their private data, but it does still have to protect it while being simultaneously liable to regulatory fines in the event of data leaks or breaches.
Another deployment comes from the German government which recently moved to build Confidential Computing-enabled services for centralized healthcare, a project that also impacts data sovereignty and shows how Intel SGX can protect citizens' private data when its stored in the cloud.
"Confidential Computing enables three things. The first is obviously data privacy. Because the data is encrypted it is secure by design and meets the principles of the GDPR," says O'Neill, which gives enterprises using Intel SGX a significant advantage as they seek to demonstrate compliance.
"It's also provides privacy since that it creates an environment that is confidential, even in a multi-tenant cloud scenario. And the third key piece is integrity the concept of knowing that the compute environment is defended by the latest Intel approved security updates and patches, and that certain algorithms are only allowed to do certain things."
Recruiting more software developers
There is already a large ecosystem of Intel partners building what O'Neill calls privacy enhancing applications on top of SGX, each of which either uses the Intel SGX software development kit (SDK) or a library OS. Intel is a major contributor to Gramine, an open source project that enables developers to run unmodified Linux applications in SGX enclaves first outlined by Intel CTO Greg Lavender in May this year. Gramine is important because it provides a 'push button' method for developers to protect applications and data using SGX more easily without having to modify their code.
Intel hopes this will help to expand the number of developers building applications for SGX, particularly when it comes to embedding encryption/decryption and other security functions.
"Between the many ready-to-deploy Confidential Computing solutions from the ecosystem and availability of Gramine and other Library OSs, organizations don't need to develop new applications from scratch using the Intel SGX SDK," concludes O'Neill. "With the software solutions available today, Confidential Computing is not only for the security architects but also the data scientists and other service and solution developers that want to add confidentiality, privacy and compliance to their favourite AI/ML frameworks and utilise AI/ML with the protection of confidential computing more easily."
Sponsored by Intel.
View post:
Hardening data security in the cloud - The Register
Matrix patches five vulnerabilities in its end-to-end encryption – SC Media
Matrix recently patched five vulnerabilities in its end-to-end encryption two of them critical that have the ability to break the confidentiality and authentication of messages.
If not patched, these vulnerabilities would let a malicious server read user messages and impersonate devices.
Matrix manages some 100,000 servers worldwide. Its technology delivers a federated communication protocol that lets clients with accounts on Matrix servers exchange messages. Matrix provides simple HTTP APIs and SDKs that help developers create chatrooms, direct chats and chat bots, complete with end-to-end encryption, file transfer, synchronized conversation history, formatted messages, and read receipts.
The vulnerabilities were discovered by security researchers at Royal Holloway University London, University of Sheffield, and Brave Software and then published in an 18-page academic paper. According to a blog posted by Matrix, the two critical vulnerabilities include the following:
Eric Cole,advisory board memberat Theon Technology, said this teaches us two important lessons. First, encryption software must have more rigorous testing than other software. Second, unpatched systems are still one of the top methods attackers use to compromise servers even with encryption software, so its important to patch, patch, patch.
While it appears that this has been caught before it has been used in the wild, it is important to remember that we just do not know, Cole said. Attackers are clever, attackers can hide their tracks and attackers can use delay methods to make it harder to detect. It appears this was caught early enough, but proper investigations of potential infected users should still be performed.
More here:
Matrix patches five vulnerabilities in its end-to-end encryption - SC Media
The 2nd Annual Encryption Consulting Conference is Back! – PR Newswire
"A leading cryptography event delivering on key topics to secure and protect data information."
PROSPER, Texas, Oct. 4, 2022 /PRNewswire/ -- Encryption Consulting LLC specializes in assessing, strategizing, and building trusted protection plans for our clients. This year we host our second annual conference where we focus on hosting an event that highlights and discusses industry topics amongst the most expert speakers and notable organizations.
This event is for anyone with a desire to learn more about cryptography, PKI, Encryption, Data Protection, Cloud Key management, and other related topics. Our speakers range from leading global organizations and partners such as Thales, Protegrity, Anjuna, and more. Have your questions answered by speakers at our live Q&A.
The 2nd Annual Encryption Consulting Conference is Back!
Join us for this free 2-day virtual event happening from November 3 - 4. To register and learn more about the program and event details please visit the link below.
https://hopin.com/events/encryption-consulting-conference-2022/registration
See you there!
Contact: Puneet SinghCEO & President[emailprotected]469-400-7592
SOURCE Encryption Consulting
Visit link:
The 2nd Annual Encryption Consulting Conference is Back! - PR Newswire
China upgrades Great Firewall to defeat censor-beating TLS tools – The Register
China appears to have upgraded its Great Firewall, the instrument of pervasive real-time censorship it uses to ensure that ideas its government doesnt like dont reach Chinas citizens.
Great Firewall Report (GFW), an organization that monitors and reports on Chinas censorship efforts, has this week posted a pair of assessments indicating a crackdown on TLS encryption-based tools used to evade the Firewall.
The groups latest post opens with the observation that starting on October 3, more than 100 users reported that at least one of their TLS-based censorship circumvention servers had been blocked. The TLS-based circumvention protocols that are reportedly blocked include trojan, Xray, V2Ray TLS+Websocket, VLESS, and gRPC.
Trojan is a tool that promises it can leap over the Great Firewall using TLS encryption. Xray, V2ray and VLESS are VPN-like internet tunneling and privacy tools. Its unclear what the reference to gRPC describes but it is probably a reference to using the gRPC Remote Procedure Call (RPC) framework to authenticate client connections to VPN servers.
GFWs analysis of this incident is that blocking is done by blocking the specific port that the circumvention services listen on. When the user changes the blocked port to a non-blocked port and keep using the circumvention tools, the entire IP addresses may get blocked.
Interestingly, domain names used with these tools are not added to the Great Firewalls DNS or SNI blacklists, and blocking seems to be automatic and dynamic.
Based on the information collected above, we suspect, without empirical measurement yet, that the blocking is possibly related to the TLS fingerprints of those circumvention tools, the organisation asserts.
An alternative circumvention tool, naiveproxy, appears not to be impacted by these changes.
Earlier in the week, Great Firewall Report also posted analysis asserting China has barred google.com and all of its subdomains.
Which is an odd thing to say given that China started blocking Google in 2010 and Greatfire.org, another service that monitors Chinas internet censorship, says Google and its online services, including YouTube and Google.com, are 100 percent blocked in China, and have been blocked for ages. Google.cn redirects to Google.com.uk in Hong Kong, but even that .hk domain is blocked these days in mainland China along with the .com.
Its also hard to reconcile Great Firewall Reports assertion and Googles decision from earlier this week to discontinue availability of its online translation service in China due to Beijing's censorship.
Inconsistencies aside, Great Firewall Reports asserts it has spotted a new effort to suppress access to Google.
The censors," we're told, "first started Server Name Indication (SNI) SNI-based censorship on google.com and *.google.com on Thursday, September 22, 2022, sometime between 6:23 AM and 7:33 PM Beijing Time (UTC+8). Specifically, the censor looks for SNI values in Transport Layer Security (TLS) ClientHello messages, and when a SNI value matches the blacklist rules, the censor sends forged TCP RST packets to tear down the connections.
Eight days later, domain name system filtering kicked in to block queries and hamper access to any Google domain. Great Firewall Report believes 1,147 google.com domains are now blocked in China even though they were probably blocked already in some way or another. This may be another or updated filtering mechanism deployed by Beijing.
SNI, for what it's worth, is used by browsers connecting to a web server using TLS (HTTPS) to specify the domain of the website the user wishes to visit. A server can handle multiple sites from one IP address, and SNI is used to select the site the person wants. SNI is typically sent non-encrypted, prior to the establishment of encryption between the browser and server, so it's ripe for government snoops to detect and use to censor unwanted connections.
Its not hard to guess why China might have chosen this moment to upgrade the Great Firewall: the 20th National Congress of the Chinese Communist Party kicks off next week. The event is a five-yearly set piece at which Xi Jinping is set to be granted an unprecedented third five-year term as president of China.
The Congress takes place amid a slowing economy, and strict zero-COVID policies that have frustrated Chinas citizenry. While dissent has been limited to occasional online rumblings, China will not want its internet to carry anything other than good no, brilliant! news of the Congress to its people.
Read the rest here:
China upgrades Great Firewall to defeat censor-beating TLS tools - The Register
ioSafe Introduces Air-gapped Cybersecurity to Isolate Encrypted Data in Its Solo G3 Secure External Hard Drive – Business Wire
VANCOUVER, Wash.--(BUSINESS WIRE)--Already the recognized leader in onsite data protection, ioSafe today introduced air-gapped cybersecurity capability in its ioSafe Solo G3 Secure external hard drive. The Solo G3 Secure drive contains an impenetrable barrier between a computer and the ioSafe Solo G3 Secure storage device. This feature delivers the most sophisticated protection available in a fireproof and waterproof drive.
ioSafe continues to innovate to extend its industry-leading fireproof and waterproof data protection solutions, said Randal Barber, CEO of ioSafe parent company CDSG. Combined with its renowned and unprecedented time-to-recovery, businesses and government agencies, media companies and creative professionals, can restore massive amounts of data without loss even if a disaster should occur.
With the Solo G3 Secure, a user authorizes computer access to the self-encrypting drive using a smartphone app via Bluetooth. Without access authorization, the drive is invisible to the computer, and data is protected from cyberattack as well as fire and water. The authorized user must stay within 10 feet of the Solo G3 Secure or the connection to the computer is lost. In addition, after ten incorrect or unauthorized entry attempts, the drive is wiped.
The ioSafe Solo G3 Secure contains a FIPS 140-2 Level-3 validated self-encrypting drive, which uses XTS-AES 256-bit full-disk hardware encryption.
The new ioSafe Solo G3 Secure is available immediately in 2TB (MSRP $499) and 4TB (MSRP $649) options with USB 3.2 gen 1 connectivity (5 Gbps). The devices include a two-year hardware warranty and two years of Data Recovery Service. Customers may order products through iosafe.com or standard distribution channels.
For more information, visit https://iosafe.com/products/solo-g3-secure/ and iosafe.com.
About ioSafe
ioSafe is a brand of the CDSG family, renowned for its role in secure data storage and data transport for governments, military organizations, creative professionals, and businesses worldwide. ioSafes patented fireproof and waterproof data storage technology, and its comprehensive Data Recovery Service, provide peace of mind. ioSafe customers know their data is always protectedand should the unthinkable happen, they are back up and running faster than any other available solution.
ioSafe products are designed and developed in the United States. Businesses, individuals, and government agencies globally rely on ioSafe to protect their data from disasters caused by fire and floodand broken plumbing.
ADVA launches Adva Network Security for network protection from cyberattacks – LightWave Online
ADVA (FSE: ADV) says it has pooled its network security expertise to create Adva Network Security. The new company will develop, produce, and integrate encryption technology to protect communications networks for cyberattacks.
The new company is seen as a complement to ADVAs networking technology portfolio. Adva Network Security will have its own IT infrastructure and secure data center facilities in Germany and will collaborate with national security organizations on its mission, ADVA says.
The network security landscape is more dangerous and difficult to navigate than ever before, and thats before we even consider the threat of quantum computer attacks appearing on the horizon. By creating Adva Network Security as a separate entity, were empowering businesses and governments to confront this most urgent issue. Through our new company, were enabling customers to comprehensively address the data vulnerability crisis that threatens every aspect of our lives, commented Christoph Glingener, CEO of ADVA. Adva Network Security encryption technology has been tested by the most experienced and competent experts. It secures even the fastest data connections with the lowest latency, protecting communications without compromising the transmission quality.
Michael Roth, most recently vice president R&D NMS, planning, CP at ADVA, will serve as general manager of Adva Network Security. By creating Adva Network Security, were ensuring that networks can deliver new levels of protection to safeguard ever-more sensitive communications such as national security services. We live in a world where the value of information is increasing. At the same time, criminal hackers and unfriendly government actors have unprecedented financial resources at their disposal. Our new independent organization of highly specialized security experts will provide protection for the most sensitive data in motion at every network layer, said Roth.
Adva Network Security will build on the optical transport encryption capabilities ADVA has developed (see, for example, ADVA launches ConnectGuard Cloud for virtualized encryption in hybrid and multi-cloud environments, ADVA adds encryption to FSP 150 demarcation device, and ADVA FSP 3000 ConnectGuard offers post-quantum cryptography security"), including the parent companys work in quantum encryption (see, for example, Utility Schleswig-Holstein Netz, ADVA field trial quantum security over aerial fiber).
For related articles, visit the Network Design Topic Center.
For more information on high-speed transmission systems and suppliers, visit the Lightwave Buyers Guide.
To stay abreast of fiber network deployments, subscribe to Lightwaves Service Providers and Datacom/Data Center newsletters.
Read more:
ADVA launches Adva Network Security for network protection from cyberattacks - LightWave Online
What Does SSL Stand For? A 10-Minute Look at the Secure Sockets Layer – Hashed Out by The SSL Store
Whats SSL? SSL, or secure sockets layer, is the standard technology used to secure online communications. Lets take a quick look at what SSL is and what it does to enable your secure transactions online
You know when you go to a website and see a padlock icon in your browsers address bar? That means the website is using SSL, or secure sockets layer. SSL secures your communication with the website so hackers cant eavesdrop and see your credit card number or password.
(Technically speaking, SSL is an outdated term because its been replaced by a very similar but updated technology known as transport layer security, or TLS. But people still like to use the term SSL because its been around longer and, therefore, is easier to remember.)
Today, were taking a step back from more in-depth technical articles to take a quick look at the basics: what does SSL stand for? What is SSL? How does it work? And, of course, how you can protect your own website with SSL.
Lets hash it out.
SSL stands for secure sockets layer. In the simplest terms, SSL is a technology thats commonly used to securely send data (for example credit cards or passwords) between a users computer and a website. The term also describes a specific type of digital certificate (SSL certificate) that companies use to prove they own their domain. (Well speak more about that a little later.)
SSL is a protocol (i.e., a set of rules computer systems follow when communicating with each other) that was created in the 1990s to allow web browsers to securely send sensitive info to/from a website. Nowadays, however, we rely on transport layer security (TLS) to handle these tasks, but the term SSL has stuck around and thats the term most people use. Well talk more about SSL certificates and TLS a little later in the article. But just note that since youll commonly see SSL or SSL/TLS being used interchangeably across the internet, were just going to use the term here as well to keep things simple.
If youre looking for quick rundown of what SSL is and why its important, check out our TL;DR overview section.
If you want to learn how to enable SSL/TLS on your website, just click on this link and well take you to that section of the article. But if youre interested in learning more about what SSL/TLS does and how you use it, then keep reading.
The answer to this question is easy: your browser will tell you, usually in at least two ways:
The good news is that more and more websites are using SSL to keep site visitors like you and me secure. W3Techs reports that HTTPS is the default protocol for 79.6% of all websites. This is up from around 75% back in September 2021. Nice looks were moving in the right direction.
Heres a quick visual comparison of a website thats transmitting via a secure HTTPS protocol (using SSL/TLS) versus one thats using the insecure HTTP protocol:
If the website is using HTTP, this means that any data sent from your browser to the server hosting the website risks the data being read, modified, or stolen in transit. As a website owner, its really bad news for you and your customers because it means their data is exposed and you may be liable for not securing it in the first place.
Now that you understand the basics of what SSL stands for and what it does, lets take a brief look under the hood. How exactly does SSL protect website users and data against hackers?
SSL protects data while its in transit (travelling between the users browser and the website/web server). There are actually three different things SSL does to protect website users. SSL enables secure authentication, data encryption, and data integrity assurance. This allows you to:
All of these things are made possible through a cryptographic process known as an SSL handshake (AKA TLS handshake). Much like how you introduce yourself to someone and shake their hand, your computer does the same with a websites server:
From there, some other technical steps take place that we arent going to get into right now. (Check out the previously linked article for a more in depth look at how different versions of the SSL/TLS handshake work.) Bada bing, bada boom the end result is that your browser and the website server establish a secure connection through which you can transmit sensitive data (such as using your credentials to log in to a website).
Pretty cool, huh?
Remember how we mentioned an SSL certificate is part of the SSL handshake? Yep, thats a mandatory step every website needs an SSL certificate before it can enable SSL/TLS. An SSL certificate is a digital file (issued to the website owner by a certificate authority such as DigiCert or Sectigo) that verifies them as the legitimate owner of the website.
Whats the point of that? To help you assert your digital identity in a way that other entities (users, browsers, operating systems, etc.) can verify youre legitimate and not an imposter. This way, when a user connects to your website, they know its legitimate and can establish a secure, encrypted connection.
Heres a quick example of what the SSL certificate looks like for TheSSLstore.com:
For those of you who like a little more technical knowledge about what SSL stands for: The term SSL refers to the technology (cryptographic protocol, or the instructions) that makes secure communications possible. However, people sometimes use the same term to also refer to a type of data file known as an SSL certificate (AKA a TLS certificate). This digital certificate is an X.509 file containing data that ties you or your organizations verifiable information to the domain.
As such, its also known as a website security certificate because this information (along with other key cryptographic info it contains) helps to increase the security of your websites connections.
Ever visited a website and you werent sure if it was legitimate or trustworthy? Knowing how to view the details in their SSL certificate can help you figure out what company is running the website, who they are, and whether theyre a legit entity. (After all, you dont want to share your personal and sensitive details with a potential cybercriminal!)
As you can see in the left part of the above image, this provides general information about what the certificate is used for and which entity it was issued to. The right half of the image is the Subject details, which provides additional verifiable information about our company. In this case, it provides the following information:
All of this information can easily be verified using official resources, such as the State of Floridas Division of Businesses website:
Of course, thats not all of the information that this type of digital certificate provides. It also informs you:
Now, lets really throw a wrench into things by talking more about this term we touched on earlier. TLS, or transport layer security, is a closely related internet protocol thats so closely related to SSL that its actually considered its official successor. However, there are some technical differences in how SSL and TLS work, but were not going to dive into all of that here.
What you need to know is that when youre on a website thats secure by SSL, its technically secured by TLS. Unfortunately, people often use the terms SSL and TLS interchangeably. This gets confusing because so many people and organizations ours included still tend to use the term SSL to describe both terms.
So, why do we still call it SSL? After all, its a deprecated security protocol that was replaced with TLS back in 1999 after multiple iterations (SSL 1.0, 2.0, and 3.0). Frankly, its most likely because people are slow to change. Theres a strange tendency to stick to the terms were familiar with, so its easier for people to just call it SSL instead of TLS. (I guess, to quote a common adage, if it aint broke, dont fix it.)
So, whether someone calls it SSL or TLS, unless theyre talking about it at a highly technical level, theyre generally referring to the same secure protocol that makes the padlock icon appear in your browser or the digital certificate file that plays a central role in making that occur.
Now that weve gotten all of that info out of the way, answering what does SSL stand for? you may be wondering how you can put SSL/TLS to use on your website. Good news: its really easy. Just follow these five steps to turn make your secure website reality:
Of course, once all of this is done, use an SSL/TLS checker tool to ensure that your certificate is properly installed and configured. This can help prevent surprise issues from coming your way.
Alright, that brings us to the end of this article, which we hope helped you better understand what SSL stands for. But if youve skipped ahead and are now just joining us for a quick overview, SSL (or, really, TLS) is a secure internet protocol that allows users to share their data securely with websites.
The three key processes that SSL facilitates are:
SSL, as a protocol, uses information provided by digital certificates that go by the same name (SSL certificates). Nowadays, these are technically TLS certificates, but hardly anyone actually bothers calling them that. (You know, because were all a tad lazy and its easier to call them what weve been calling them for years.). So, there you have it. Now you can show off your technical chops around the water cooler or during the next trivia night by being able to answer the question, What does SSL stand for?
Read more from the original source:
What Does SSL Stand For? A 10-Minute Look at the Secure Sockets Layer - Hashed Out by The SSL Store
Secrets at the Command Line [cheat sheet included] – Security Boulevard
If developers all share one thing in common, it is their use of the command line to get their jobs done. Many development tools dont come with a graphical user interface (GUI) and rely on a command line interface (CLI). There are a lot of upsides to a CLI first or only approach. Once you master the command line, you can work more efficiently than a GUI might allow and gain the awesome superpower of scripting, allowing all of your tools to start working in concert. Scripting is the bedrock for building and managing software delivery pipelines and CI/CD workflows.
However, there is nothing more intimidating, especially to a newer dev, than a blank terminal window with a blinking cursor awaiting your commands. There is no helpful UI to guide you towards your goal; you just have to know what to enter. All the burden of getting it _just right_ falls on the developer's shoulders, and there is a lot to learn, especially when you factor in security.
One area that often gets neglected while mastering the command line is local security around credentials, or what we like to call secrets. While it might feel like secrets management is an area reserved for code repositories, run time environments, and the CI/CD pipelines that drive modern application delivery, good security practices start at home. Home for devs means the terminal.
The first step toward securing secrets in the command line is taking inventory of what secrets might exist. Secrets are any sensitive data that we want to keep private that would grant access to systems or data, what you will see referred to as digital authentication credentials. Secrets fall into a few broad categories: Passwords, Keys, and Certificates
Since the beginning of computing, passwords have played a large part in security, and are synonymous with how a user can log into a system. The term user name is almost always paired with the word password when either is used. Passwords are something you know to prove who you are.
Keeping your passwords secure is as important as having them in the first place. No one would think it is a good idea to write passwords on a post-it note and stick it on their monitor, but a lot of developers are guilty of storing their passwords in plaintext in local files. If someone gets access to your local machine, a quick search of the contents can reveal any such document and start pretending to be you.
In an ideal world, you would simply keep all your passwords securely inside your head. But in reality, we all have way too many passwords for that to be a viable strategy. Fortunately, there are many approaches for securing passwords locally, and we will dig into those later in this article; for now, lets keep going with making our inventory of local secrets.
Keys serve the same basic function as passwords, granting access to systems and data, but differ in several key ways. Passwords are generally generated by humans, for human access to a system or data. They are generally shorter, and ideally, you can memorize them.
Keys are typically generated by an algorithm and are generally much longer and more complex than passwords. Overall, they are not meant to be manually entered, nor are they intended for human access to a system; keys are meant to grant machines and processes access to another system or unlock encrypted data. Another way to say that would be keys are used to lock and unlock cryptographic functions such as encryption or authentication.
One type of key you are likely very familiar with as a developer is your SSH key. This is a prime example of a paired public/private key system at work. SSH public keys are intended to be shared with any remote system that applications your local machine will need to access, such as GitHub or AWS. A corresponding private key is stored on your local file system and should never, ever be shared with anyone. When used together, these keys ensure that access is granted only to trusted systems. This is a very secure approach.
Just like with passwords, the security benefits of keys come with the overhead of needing to secure them locally. While it is unlikely you would hand type a plaintext key into a system, or write it down on paper, as we will see in the next section, there are multiple ways keys can become exposed if we are not careful.
Certificates are a way to store, transport, and use keys. Certificates contain keys, as well as important metadata, such as the issuer, what the certificate is for, and a signature intended to verify the authenticity of the certificate.
While SSL or TLS certificates might spring to mind as a primary use case for security certificates, an increasing number of applications and platforms, leverage certificate-based authentication. Identity management services, like Active Directory, offer integrations that make it easier to leverage certificates to better control access rights for users, while freeing the users from needing to manually manage passwords.
Where and how you store certificates locally might not be obvious, especially on machines provisioned by central IT departments. It is still the developer's responsibility to be aware of what certificates are on your local machine and to ensure the right safeguards are in place to prevent them from being inappropriately shared. It is also important to not expose the keys these certificates hold, as that is a potential threat as well.
Now that we know what kinds of secrets we are looking for, the next logical question is how might they be exposed to a bad actor or malicious code? Secrets can be exposed from your laptop can be compromised, and any plaintext files with passwords or stored keys can be stolen. But there is also the possibility that any server you connect to via SSH might also be unexpectedly accessed. The SSH credentials themselves might mean someone can cause problems while pretending to be you!
Keeping command line secrets safe in any situation where you are using a shell will help you stay safe. Lets take a look at some of the ways you might be exposing secrets.
Credential files are a way to store secrets safely away from any directories that get version controlled. You can set permissions for these files easily with chmod and can programmatically access contents. You can even manage a separate file for each credential, making it harder for any intruder to gather them and limiting the scope of their attacks. These do carry the risk of having credentials in plaintext, but we can address that, and any file, with good encryption.
Entering passwords or keys into a CLI prompt is necessary from time to time. The danger here comes from the fact that anything entered into the terminal in plaintext means it is stored in plaintext in your terminals history. All shells store your history, but to help put this in perspective, if you are running Bash or Zsh, your entire shell history is stored in a file called either .bash_history or .zhs_history. If you go examine that file, you might be surprised at the number of lines it contains. Anyone who gains access to your machine or a shared terminal environment would quickly be able to find any credentials entered directly into a shell by you as a user.
Fortunately, most applications have ways to safely pass credentials without entering them as plaintext. If you encounter an application that needs plaintext credentials, you should consider one of the approaches we outline in the next section. Most of the time, you can still work safely and never expose a credential. If you work with a tool that in no way allows you to pass credentials in a safe way though, it might be time to have a conversation with your security team about the tool in question.
Just like with your Bash history, logs can expose any and all secrets that are stored in plaintext or loaded in an insecure way. Arguably, log files are less secure than your Bash history, given that logs are publicly visible in /var/log and might be accessed by unexpected actors.
Piping credentials between locations is overall a very secure way to handle secrets assuming you are not calling the special /dev/stdin file along the way. Shells like Bash that use stdin (Standard Input) automatically store any input into a file that is accessible by any other process on your machine.
If you go to the terminal right now and just try to print that file with cat, a curious thing happens. Anything that you type is immediately printed to the screen upon hitting enter. Why? Your shell is concatenating (cat) the contents of the file at /dev/stdin to the standard output ( stdout) of the terminal. If there is malware or spyware on your computer, or if someone has injected code into your scripts, it is possible that they can intercept the plaintext contents of this file even if you securely loaded a password or key directly into stdin from a secure source.
Process Status is a utility in Bash and derivative shells that you invoke with the command ps. This utility provides information about processes running in memory and is very important for understanding what your system is doing. For UNIX-like OSes, any value, including the contents of private key files, can be seen via ps when these commands are running and it stores them locally in a file, /proc/
/cmdline, which is globally readable for any process ID, (pid). This can become an especially dangerous situation on machines with shared access, such as remote VMs or servers.
While local credentials management might feel daunting, there are a number of approaches and tools that can help you work more safely and with more confidence in your day-to-day duties. While we are going to cover some of them here, we recognize there are likely more tools and tips that can address this issue; we invite your thoughts on this by letting us know on social media or our contact form.
You might already be familiar with password managers through your internet browsers. Just as providers like LastPass, 1Password, or DashLane, have made managing logging into web interfaces a lot simpler, there are plenty of tools out there that can help us store and manage our passwords safely for use on the command line.
One of the best examples of such a solution is Hashicorp Vault. They have great documentation on how to leverage Vault for programmatically calling any needed credential without exposing it in plaintext. If a bad actor gets their hands on your code, they will see calls to Vault rather than the keys themselves, making it much harder to cause you any harm.
There are plenty of alternatives to Hashicorp Vault as well, such as KeePass, Azure Key Vault, Keeper Password Manager, and Akeyless Vault Platform, just to name a few. They all offer their own idiosyncrasies, but as long as they keep your passwords secure and out of plaintext, then we encourage you to adopt one as soon as you can. Your IT and Security teams likely already have some approved password managers you can start using right away.
While we often think of encryption while transporting data, it is equally, or perhaps even more important at times, to address encryption of data at rest. Any sensitive data that we do not want to expose should be encrypted when we are not actively working with it. Admittedly this does carry the overhead of having yet another encryption key to manage. However, combined with a good password manager, you will be surprised how easy it can be to keep credentials unusable by bad actors.
While there are a lot of possible ways to employ encryption, here are three types of tools we think are useful.
If a bad actor accesses your computer, you will want to make it as hard as possible for them to actually do anything with your data. That is the core idea behind local filesystem encryption; when you are logged out, the data on your machine gets encrypted and becomes unusable to anyone else.
There are a lot of different options out there for Linux systems derived from LUKS, Linux Unified Key Setup. In fact, when installing most distributions of Linux, you will be prompted to enable this by default.
Windows users can leverage tools like Microsofts BitLocker, Folder Lock, or free open source tools like VeraCrypt,
If you are using a newer Macbook with the T2 security chip integrated, good news, you already have a very sophisticated encryption tool ready to use; FileVault.
SOPS name derives from the term, Secrets OPerationS. Unlike local file encryption schemes, SOPS is an encrypted files editor, created by the team at Mozilla. The idea is to remove the manual steps of decrypting highly sensitive files, editing, and then re-encrypting them. Instead, SOPS offers an editing experience that keeps encryption in place throughout the editing process. When opening SOPS encoded files with other text editing tools, the structure of the file is preserved, but any sensitive data is protected.
SOPS is highly customizable and allows you to choose from multiple encryption mechanisms like GPG or Hashicorp Vault, making it easy to fit your workflow. It is a free and open source tool. There is even a VS Code extension available.
Shellclear is a cross-platform shell plugin that promises a simple and fast way to secure your shell commands history. It works by
It is free and open source and very customizable. While this is a newer project, we think it is an elegant solution to finding what secrets are in your Bash history and helping you clean them out.
These are just a few options for securing data at rest on your machine. There are a lot of other tools and methods available. When evaluating any encryption tool, make sure they use a proven, known encryption algorithm. This is definitely one area where you do not want to write your own encryption scheme. Talk to your security folks about other options and tools that they might already have approved.
In simplest terms, environmental variables are the settings the terminal uses to set behaviors such as time formatting or local UTF encoding. By default, these are only accessible to you as the user and the system at runtime.
Environment variables can also be used to store credentials locally, especially for systems called programmatically. Overall this is a safe approach as they are stored safely in the system and can easily be invoked in scripts. However, there are a few things to be aware of:
TLDR: env vars are okay within a limited scope (local machines and process-specific + rotated from time to time), but are not okay in cloud environments.
If you have never run the command env in a terminal, the number of variables already there might seem a bit overwhelming. We invite you to pop open a terminal and run it now. If there is anything in there that looks like an API key or bearer token, it is a good idea to ask if it is still needed and clear out environmental variables that are not in use.
While we mentioned using pipes as a potential security threat surface if used incorrectly earlier in this article, we do actually love pipes in general!
Pipes in Bash take the output from one process or application and pass it into another process or tool. Since there are only two ends to a pipe and they exist in memory only for the duration of the communication, they are extremely secure in and of themselves.
The issue around using pipes comes from the temporary storage of items from standard input, stdin. This issue can be solved by moving the input to the pipe close to the source, aka the application that is feeding into stdin.
A good example that illustrates this point can be seen with cURL. When passing data to a request, you first might try to just pass it from the output with -d "$(< /dev/stdin)". Instead, cURL allows you to grab the data directly from the source without writing to stdin at all with -d @-. Thanks to Carl Tashian for writing a very good summary of this pattern on his blog.
Working on the command line means working faster and more efficiently with a wider range of tools at your disposal. However, as we have spelled out here in this article, it also brings a certain overhead of vulnerability when it comes to credentials management.
The good news is you are not alone in this fight to keep your secrets a secret. There are plenty of tools out there that can help keep your credentials safe and secure. To sum up, our advice is to:
We encourage you to have a conversation with your teams about security and see what tools they have already vetted for your organization. They will likely be able to help you identify ways you can work more securely every day while staying productive on the command line.
*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Automated Secrets Detection authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/secrets-at-the-command-line/
View original post here:
Secrets at the Command Line [cheat sheet included] - Security Boulevard
Hardware Encryption Market 2022-2027: Growing Rapidly with Latest Trends and Future scope with Top Key Players- Kanguru Solutions, Toshiba, Western…
Hardware Encryption Market Study 2022-2027:
Hardware Encryption Market (Newly published report) which covers Market Overview, Future Economic Impact, Competition by Manufacturers, Supply (Production), and Consumption Analysis, and focuses on various products and other market trends.
The market research report on the global Hardware Encryption industry provides a comprehensive study of the various techniques and materials used in the production of Hardware Encryption market products. Starting from industry chain analysis to cost structure analysis, the report analyzes multiple aspects, including the production and end-use segments of the Hardware Encryption market products. The latest trends in the industry have been detailed in the report to measure their impact on the production of Hardware Encryption market products.
Get sample of this report @ https://www.marketresearchupdate.com/sample/373571
Leading key players in the Hardware Encryption market are Kanguru Solutions, Toshiba, Western Digital, Netapp, Maxim Integrated Products, Kingston Technology, Gemalto, Seagate Technology, Samsung Electronics, Winmagic, Micron Technology, Thales
Results of the recent scientific undertakings towards the development of new Hardware Encryption products have been studied. Nevertheless, the factors affecting the leading industry players to adopt synthetic sourcing of the market products have also been studied in this statistical surveying report. The conclusions provided in this report are of great value for the leading industry players. Every organization partaking in the global production of the Hardware Encryption market products have been mentioned in this report, in order to study the insights on cost-effective manufacturing methods, competitive landscape, and new avenues for applications.
Product Types:AESRSA
On the Basis of Application:Consumer ElectronicsITTransportAerospaceMedicalFinancial ServicesOther
Get Discount on Hardware Encryption report @ https://www.marketresearchupdate.com/discount/373571
This report also consists of the expansion, mergers, and acquisitions, and price, revenue, and production. This report also provides revenue, CAGR, and production shares by the manufacturer.
1) The varying scenarios of the overall market have been depicted in this report, providing a roadmap of how the Hardware Encryption products secured their place in this rapidly-changing marketplace. Industry participants can reform their strategies and approaches by examining the market size forecast mentioned in this report. Profitable marketplaces for the Hardware Encryption Market have been revealed, which can affect the global expansion strategies of the leading organizations. However, each manufacturer has been profiled in detail in this research report.
2) Hardware Encryption Market Effect Factors Analysis chapter precisely gives emphasis on Technology Progress/Risk, Substitutes Threat, Consumer Needs/Customer Preference Changes, Technology Progress in Related Industry, and Economic/Political Environmental Changes that draw the growth factors of the Market.
3) The fastest & slowest growing market segments are pointed out in the study to give out significant insights into each core element of the market. Newmarket players are commencing their trade and are accelerating their transition in Hardware Encryption Market. Merger and acquisition activity forecast to change the market landscape of this industry.
This report comes along with an added Excel data-sheet suite taking quantitative data from all numeric forecasts presented in the report.
Regional Analysis For Hardware EncryptionMarket
North America(the United States, Canada, and Mexico)Europe(Germany, France, UK, Russia, and Italy)Asia-Pacific(China, Japan, Korea, India, and Southeast Asia)South America(Brazil, Argentina, Colombia, etc.)The Middle East and Africa(Saudi Arabia, UAE, Egypt, Nigeria, and South Africa)
View Full Report @ https://www.marketresearchupdate.com/industry-growth/hardware-encryption-market-scope-and-overview-2022-2027-373571
Whats in the offering: The report provides in-depth knowledge about the utilization and adoption of Hardware Encryption Industries in various applications, types, and regions/countries. Furthermore, the key stakeholders can ascertain the major trends, investments, drivers, vertical players initiatives, government pursuits towards the product acceptance in the upcoming years, and insights of commercial products present in the market.
Lastly, the Hardware Encryption Market study provides essential information about the major challenges that are going to influence market growth. The report additionally provides overall details about the business opportunities to key stakeholders to expand their business and capture revenues in the precise verticals. The report will help the existing or upcoming companies in this market to examine the various aspects of this domain before investing or expanding their business in the Hardware Encryption market.
Our Recently Published Article:
https://tealfeed.com/usa-meetings-events-market-development-strategy-3yifu
https://tealfeed.com/europe-explosive-charging-equipment-market-price-a3q2w
https://tealfeed.com/usa-m-phenylene-diamine-mpd-cas-pg6iu
https://tealfeed.com/usa-simultaneous-localization-mapping-technology-market-j5a11
https://tealfeed.com/usa-metal-gear-component-industry-future-2by4n
https://tealfeed.com/europe-liquid-ammonium-liquid-potassium-thiosulfate-cf9jp
This Press Release has been written with the intention of providing accurate market information which will enable our readers to make informed strategic investment decisions. If you notice any problem with this content, please feel free to reach us on [emailprotected]
See the article here:
Hardware Encryption Market 2022-2027: Growing Rapidly with Latest Trends and Future scope with Top Key Players- Kanguru Solutions, Toshiba, Western...
Government proposes new law to intercept encrypted messages and calls on platforms like WhatsApp – Firstpost
FP StaffSep 23, 2022 12:53:22 IST
The Government of India has proposed a new law that would allow it to intercept encrypted messages, calls and video calls on platforms like WhatsApp, Telegram, Google Meet, Signal etc.
A new draft telecommunications bill was uploaded on Wednesday which states that the government wants to give investigative authorities the ability to circumvent the encryption that several OTT communication services, like WhatsApp, Signal, and Telegram use.
In the bill, telecommunication services are defined as anything to do with broadcasting, email, voice mail, video-communication and audio-communication services, and other similar internet services.
The Indian Government is seeking public feedback on the draft.
Modern-day users who are aware of privacy and security concerns always want to go for services which have end-to-end encryption. That is why you will see companies like Meta spend billions of advertisements just to say that their services have this functionality. Platforms like Signal and Telegram were also able to take off and capture a major chunk of the IM market from WhatsApp because the communication on these platforms is encrypted.
The proposed law would have far-reaching effects on the industry that now prioritises user safety and data privacy.
A section of the draft states that the state and/or central government may circumvent encryption on the occurrence of any public emergency or in the interest of the public safety.
Any service can be added to the definition and that could give the government access to all encrypted chats, voice calls, video calls, and more. Under Section 24 of the draft, the government, or any of its representatives can demand access on the occurrence of any public emergency or in the interest of the public safety. It remains to be seen whether this draft gets a nod and if so, how will the tech companies respond.
If WhatsApp and Signal have to comply with these rules, they would need to get rid of the encrypted messages. Or, they could simply shut shop in India, similar to multiple VPN operators who exited the Indian market.
Earlier this year, several VPN companies exited India after a law was passed that required them to keep a record of their user data and share it with authorities when asked to. Several prominent VPN providers shut their servers in India as a protest, with some downright exiting the Indian market altogether.
Continue reading here:
Government proposes new law to intercept encrypted messages and calls on platforms like WhatsApp - Firstpost