Category Archives: Encryption
A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys – Ars Technica
Microprocessors from Intel, AMD, and other companies contain a newly discovered weakness that remote attackers can exploit to obtain cryptographic keys and other secret data traveling through the hardware, researchers said on Tuesday.
Hardware manufacturers have long known that hackers can extract secret cryptographic data from a chip by measuring the power it consumes while processing those values. Fortunately, the means for exploiting power-analysis attacks against microprocessors is limited because the threat actor has few viable ways to remotely measure power consumption while processing the secret material. Now, a team of researchers has figured out how to turn power-analysis attacks into a different class of side-channel exploit that's considerably less demanding.
The team discovered that dynamic voltage and frequency scaling (DVFS)a power and thermal management feature added to every modern CPUallows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries. The discovery greatly reduces what's required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely.
The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to exposeor bleed outdata that's expected to remain private. The vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.
The researchers said they successfully reproduced their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture. They also claimed that the technique would work on Intel Xeon CPUs and verified that AMD Ryzen processors are vulnerable and enabled the same SIKE attack used against Intel chips. The researchers believe chips from other manufacturers may also be affected.
In a blog post explaining the finding, research team members wrote:
Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.
Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.
Hertzbleed is a real, and practical, threat to the security of cryptographic software.We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as constant time.
Intel Senior Director of Security Communications and Incident Response Jerry Bryant, meanwhile, challenged the practicality of the technique. In a post, he wrote: "While this issue is interesting from a research perspective, we do not believe this attack to be practical outside of a lab environment. Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue." Intel has also released guidance here for hardware and software makers.
Neither Intel nor AMD are issuing microcode updates to change the behavior of the chips. Instead, they're endorsing changes Microsoft and Cloudflare made respectively to their PQCrypto-SIDH and CIRCL cryptographic code libraries. The researchers estimated that the mitigation adds a decapsulation performance overhead of 5 percent for CIRCL and 11 percent for PQCrypto-SIDH. The mitigations were proposed by a different team of researchers who independently discovered the same weakness.
AMD declined to comment ahead of the lifting of a coordinated disclosure embargo.
Visit link:
A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys - Ars Technica
Android Users are Getting the Thunderbird Email: Open Sourced with End-to-End Encryption – Tech Times
Urian B., Tech Times 14 June 2022, 11:06 am
An open-source email application will finally be making its way to Android. Users of the iOS alternative will finally gain access to the Thunderbird Android email app, an open-sourced application that supports end-to-end encryption.
According to the story byZDNet, thanks to the K-9 Mail Android email app project, users will finally be able to use the Thunderbird app not just on the desktop but also on Android devices. The project resulted in an app for the open-sourced email project to be used on Android devices.
The Mozilla Foundation moved Thunderbird to its subsidiary two years ago. The open-sourced email solution came under MZLA Technologies Corporation, just like how Firefox was moved under the foundation's subsidiary, Mozilla Corporation, from the initial Mozilla Foundation.
Moving Thunderbird to its subsidiary allowed the project to create its own path. On top of this, the project added new features, including OpenPGP end-to-end encryption along with a mobile app that ZDNet described as "long-awaited."
The email service's team revealed that talks of an email app version of the service started as far as 2018. The talks were held between Ryan Lee Sipes, the product manager of Thunderbird, and Christian Ketterer, K-9's lead maintainer.
K-9 Mail is an already existing email app on theGoogle Play Storewith five million downloads. Instead of building the app from scratch, both parties plan on merging Thunderbird's systems and features with the existing app.
Four years later, the best decision, according to the two, was to simply have K-9 join the open-sourced service instead of having to build an app from the start. As perThunderbird, a lot of users have asked them for a mobile experience for the open-sourced email service.
Read Also:Telegram Founder Takes a Swipe on Apple's iOS Limitations! Here's What He Says
The team then announced that they plan to do this by helping K-9 provide an Android version of the Thunderbird email open-source service. K-9 is tasked with supplementing the open-sourced service and improving the email experience for mobile users.
As per the Thunderbird team, their commitment toward the desktop version of the email service remains the same, and the team is committed to making the most out of both worlds. As per ZDNet, this means that K-9 will be in charge of taking the name and branding of the original service.
Before this becomes possible, K-9 will still have to align with the visual appearance and feature set of Thunderbird. In order to do this, the team says that they are devoting finances and development in order to improve K-9 Mail continually.
Related Article:Apple and Google's 'Duopoly' over Mobile Markets is Anti-Competition - UK Regulator Claims
This article is owned by Tech Times
Written by Urian B.
2021 TECHTIMES.com All rights reserved. Do not reproduce without permission.
The rest is here:
Android Users are Getting the Thunderbird Email: Open Sourced with End-to-End Encryption - Tech Times
This tiny, encrypted drive can fit on your keyring – ZDNet
While having access to an encrypted SSD -- like the new Kingston IronKey Vault Privacy 80 -- is nice, sometimes you want something smaller and more convenient to carry around with you.
Enter the Kingston IronKey Vault Privacy 50.
Kingston IronKey Vault Privacy 50
While the IronKey Vault Privacy 80 is an SSD, the IronKey Vault Privacy 50 is a USB flash drive, and as such is a lot smaller and more suitable for smaller amounts of data that you want to have with you.
Packed into what looks like a standard yet FIPS 197 certified USB flash drive is an XTS-AES 256-bit hardware encryption engine. The business end features a regular USB-A connector compatible with USB 3.2 Gen 1, giving it broad compatibility (if you want to use it on a device with USB-C ports, you'll need a dongle or an adapter) and good performance.
Kingston IronKey Vault Privacy 50
The drive is compatible with Windows and Mac, and you have to run an application on the drive to unlock the drive and access your data. Unlike the IronKey Vault Privacy 80, this drive is not operating system independent.
Kingston IronKey Vault Privacy 50 features a cap retainer on the read and a lanyard hole to allow you to put the drive on your keys
The drive offers built-in protection against attacks such asBadUSB, as well as brute force attacks.
Speeds for the drive are rated at around 250MB/s for read speeds, and 180MB/s write speeds, and in testing I was able to get read speeds of 225MB/s and write speeds of 150MB/s.
The drive features a lanyard hole that you can use to attach your drive to your keys, and the cap fits well and clips onto the rear of the drive when use, giving it a fighting chance against loss.
Kingston IronKey Vault Privacy 50 (left) and Kingston IronKey Vault Privacy 80 (right)
So you only have to buy the storage you need, the IronKey Vault Privacy 50 comes in a range of sizes, from 8GB all the way up to 256GB, which offers great flexibility.
I can't fault the Kingston IronKey Vault Privacy 50. It's an excellent way to secure your data when out and about, and comes highly recommended.
See more here:
This tiny, encrypted drive can fit on your keyring - ZDNet
French Data Protection Authority publishes Q&A regarding use of Google Analytics – JD Supra
Background
Following complaints from the NOYB association regarding the use of the Google Analytics audience measurement solution, the French Data Protection Authority (CNIL) had issued several formal notices to French companies using this solution on their websites. These decisions were issued in the context of other decisions from European data protection authorities like the Austrian one, and following the Schrems II ruling of the ECJ invalidating the Privacy Shield that has imposed to implement additional measures to Standard Contractual Clauses to cover transfer of personal data outside the EU.
The CNIL had made public only one of these decisions in February 2022 in an anonymized way. In this decision, the CNIL considers that the use of the Google Analytics audience measurement solution is not GDPR compliant because personal data collected through the cookies of the solution are transferred to the United States without sufficient measures applied to prevent any possible access from the authorities to the personal data. Although efforts were made by Google to deploy additional measures in consideration of the Schrems II ruling, the CNIL considers that this is still not sufficient.
The CNIL recommends anonymizing personal data collected through audience measurement cookies. That way, the solution can benefit from the consent exemption applicable to audience measurement cookies in France. The consent exemption is only applicable to tools complying with a set of cumulative criteria published by the CNIL, one of them being to produce only statistic anonymous data. The controller must, however, still ensure that transfers outside the EU are compliant.
To provide more background on these decisions and providing possible solutions, the CNIL has released a Q&A on June 7, 2022 on the use of Google Analytics as well as guidance on the use of a compliant audience measurement solution.
The Q&A is short and does not provide much more information than already provided in the anonymized decision published in February 2022. All French companies among the 101 complaints of the NOYB association have now received a formal notice from the CNIL regarding the use of Google Analytics and they have 1 month (renewable) to comply.
The goal of this Q&A is for the CNIL to make clear that the prescription of the only published decision (February 2022 - anonymized) must be understood as being applicable to all companies using the solution and not only to the companies having received a formal notice.
The CNIL considers that any additional legal, organisational and technic safeguards deployed by Google like Standard Contractual Clauses and additional measures will still be not sufficient to prevent access by non-EU authorities as Google remains subject to US jurisdictions.
The CNIL categorically refuses a risk-based approach and consider that the risks remain as long as an access to the data is possible: according to the CNIL, even if access by US authorities to data collected through the Google Analytics solution is unlikely (i.e. in practice authorities are not making such data access requests), as long as an access is technically possible, then technical measures are necessary to make such access impossible or ineffective.
Several options are raised in the Q&A for a compliant use of the Google Analytics audience measurement solution, but most of them are considered as not sufficient by the CNIL and it seems that only the proxy solution is considered acceptable by the CNIL:
Modifying the settings of the Google Analytics solution (e.g. changing the characteristics of the processing of the IP address, only hosting personal data within the EU, , etc.) is not sufficient according to the CNIL as long as possible access by non-EU authorities is still possible and enable to identify the user and track his/her navigation from one website to another.
The CNIL highlights that encryption is only an acceptable solution if the encryption keys are kept under the sole control of the data exporter or by other entities established within the EU or in adequate countries.
Regarding Google Analytics, the CNIL considers that encryption of data is not sufficient as in practice Google LLC is the entity that:
The CNIL concludes that since Google LLC still has the possibility to access the data in clear, the encryption measures cannot be considered effective in case of requests from the US authorities. Conclusion to be drawn is therefore that encryption would be an appropriate measure if Google LLC did not have access to clear data or access to the encryption keys.
Collecting consent of users for data transfers is not sufficient as, although this is one of the safeguard listed by Article 49 of the GDPR, this is considered by the EDPB as only applicable to single and non-recurring transfers, and cannot be used as a permanent solution for systematic transfers of personal data.
The CNIL seems to only identify as a possible solution the use of a proxy. Indeed, as per the CNIL, the main issue relates to the direct contact, through a HTTPS connection, between the devices of the users and the Google servers, which enables to collect the IP address of the users as well as many other information that conduct to the re-identification of the user. Only solutions that break this contact between the device and the server, like a proxy, can address this issue, as data would be pseudonymized before being transferred outside the EU.
The proxy, or similar solution, must comply with the EDPB criteria, and in particular:
In addition, in the guidance on the use of a compliant audience measurement solution published together with the Q&A, the CNIL also underlines that the use of a proxy requires specific measures (e.g. absence of transfer of the IP address to the servers of the measurement tool, replacement of the user identifier by the proxy server, absence of any collection of cross-site identifiers, etc.) to be deployed and that the proxy server must be hosted in conditions that guarantee that the data it will be processing will not be transferred outside the EU.
In practice, all this criteria make it difficult from a technical standpoint to apply. The CNIL itself recognizes that this may be very costly and complex in practice, and eventually recommend using alternative solutions to Google Analytics.
The CNIL has published on its website a list of cookies solutions exempted from consent and that it considers as being compliant when properly configured. There are currently 18 certified solutions. The CNIL, however, indicates that such solutions have not been assessed on the issue of international transfers, which would means that, although they are listed by the CNIL as compliant, they cannot be used as such but first require to verify data transfers and apply Schrems IIs safeguards.
Solutions offered by the CNIL remain in practice difficult to apply and no workable solution is eventually offered to companies. As next steps, this Q&A should be seen as a reminder for Companies to assess their audience measure solution and consider whether the measures put in place to limit access to data by authorities are sufficient.
See the original post:
French Data Protection Authority publishes Q&A regarding use of Google Analytics - JD Supra
For resiliency, the Army may look to rely more on commercial systems than SIPRNet, NIPRNet – FedScoop
Written by Mark Pomerleau Jun 15, 2022 | FEDSCOOP
The Armys top IT official on Wednesday questioned the utility of the services current classified and unclassified network configurations and instead pointed to the possibility of relying on commercial systems that could be more resilient in future conflicts against sophisticated adversaries.
Adversaries will contest U.S. forces unlike ever before, straining the network and making it harder for data to be passed back and forth and accessed at the right time, said Army CIO Raj Iyer. As a result, forces must be more adaptable and take advantage of various means for communication and transport, such as commercial solutions.
Our strategy again here is to get to greater resiliency, with commercial transport, using dark fiber, a heck of a lot more encryption when it comes to secret The need for us to have physical separation of data and networks for SIPR, or SIPR to ride on NIPR, those days are gone, Iyer said during a presentation hosted by GovConWire
It really questions what do we need a SIPRNet for? Why do we need a whole separate network, that we can actually do pretty damn well with encryption.
Iyer was referencing the SIPRNet or Secure Internet Protocol Router Network, which is the Pentagons network to handle secret classified information and NIPRNet the Non-classified Internet Protocol Router Network, which handles unclassified information.
What we have been able to show if you have the right encryption in place thats quantum-resistant and we were able to use solutions like commercial solutions for classified, and we have shown that today and validated that. It really questions what do we need a SIPRNet for? Why do we need a whole separate network, that we can actually do pretty damn well with encryption, he said. Then absolutely the same question on NIPRNet. If we move all of our data and applications to the cloud and if I can get to a virtual desktop in the cloud and I can use any open available internet to be able to access all of that through any device, then what do we really need the NIPRNet for?
These questions arise as the Army is developing its unified network plan part of its larger digital transformation strategy which aims to synchronize and connect the services enterprise and tactical network together.
Currently, silos exist between the two, creating barriers for troops who want to pass data across echelons or even theaters. This especially creates problems when troops move from one theater to another, as seen most recently in Afghanistan.
I saw forces come into the theater that were not able to join the network right away. It was really, really cumbersome for everything that we needed to do while I was there, Brig. Gen. Jeth Rey, director for the Army Network-Cross Functional Team, said in October.
For Iyer, the Army needs to question the status quo to evolve and succeed in future battlefield environments.
Were thinking out of the box. Im not saying you have all the solutions, but we really going back to the direction I have from my boss, this is how were going to transform, Iyer said about the Armys modernization approach and potential for using more commercial solutions in an attempt to be more resilient from adversary disruptions.
He added that if the Army doesnt question the status quo, it will be limited by aging technologies and architectures from the past.
One such example from the Ukraine-Russia conflict Iyer and others have pointed to is SpaceXs Starlink satellite constellation that provides internet coverage.
Despite Russian attempts to jam the system in Ukraine, the following day, Starlink reported adding new lines of code that rendered the jamming ineffective.
We saw how Starlink is actually tremendously helping establish a communications network in an environment that we thought would be degraded on day one, Iyer said in April.
Army forces must be able to communicate and pass data in denied and degraded environments in the future.
As we get into more of a distributed command and control structure, what we really dont want is a massive command post that has all of this IT in one place, where we become bullseye for our enemies, he said Wednesday. Moving to the distributed C2 means that were going to have to leave data in multiple places with greater resiliency, were going to have to rely on all kinds of transport, not just MILSATCOM, but commercial SATCOM, as well and this is where the example I gave you with Starlink and how were using that today in Europe is a great example. All of this coupled with compute at the edge is going to be absolutely critical in terms of supporting tactical operations.
Continued here:
For resiliency, the Army may look to rely more on commercial systems than SIPRNet, NIPRNet - FedScoop
Nelson man, 41, used encrypted phone to move kilograms of Class A drugs around UK – Lancs Live
A Lancashire man has been jailed for four and a half years for drug offences and money laundering.
Sufiyan Mohammed, aged 41 of Percy Street, Nelson, Lancashire was sentenced on Wednesday 15 June after pleading guilty to conspiracy to supply Class A drugs and money laundering. Mohammed is the latest to be sentenced as part of the North West Regional Organised Crime Unit's response to Operation Venetic, an international operation investigation into the use of a mobile encryption service, commonly referred to as Encrochat.
More: Missing teen last seen in Blackpool two days ago believed to be in London
Pirasad Hashmi, from Blackburn, was also sentenced to seven and a half years back in April this year after pleading guilty to the same offences. Examination of the data from the encrypted phones that Mohamed, who was the user of the device/handle GOLFRANGE' and Hashmi, who used the handle BROWNRHINO revealed that they had been responsible for moving multiple kilogram quantities of Class A drugs around the UK.
In messages shared between the two he shared images of drugs and cash. One message said "Im buying these 1z proper". Other conversations included messages referring to numbers and amounts where 'BROWNRHINO' (aka Hashmi) says to 'GOLFRANGE' (aka Mohammed) "Shall we go through the bill".
Mohammed was arrested back in October 2021 as he returned to the country on a flight from Malaga.
Detective Inspector Mike Robinson from the NWROCU investigations team said: "This sentence is the latest in a long line of convictions secured against those who used the Encrochat facility to carry out crimes, to try and evade detection.
"Mohammed was involved in a conspiracy to supply cocaine across the UK and we're happy that with him and his associate off the streets, it has helped to disrupt a significant supply of drugs which they were supplying across the country. Here at the NWROCU were committed to targeting the supply of drugs and will leave no stone unturned in pursuit of those people who think they are above the law."
Continue reading here:
Nelson man, 41, used encrypted phone to move kilograms of Class A drugs around UK - Lancs Live
Email platform bug allows for theft of clear-text credentials. Update on the Kaiser Permanente breach. Arizona hospital suffers ransomware attack. -…
At a glance.
The researchers at SonarSource detail a newly detected vulnerability in enterprise-level email solution Zimbra that could allow an attacker to steal user login credentials. Similar to Microsoft Exchange, Zimbra is used by the employees of 200,000 businesses, universities, financial firms, and government institutions to send and receive emails. If exploited, this Memcache Injection bug would allow an unauthenticated intruder to steal cleartext credentials from a Zimbra instance without any user interaction. One technique would require the attacker to know the email address of the victim, not difficult given that many companies rely on a basic pattern using the employees name or initials. The second strategy would require the hacker to exploit Response Smuggling, the act of transferring HTTP responses from a server to a client through an intermediary HTTP device, to bypass the restrictions imposed by the first strategy.
Erich Kron, security awareness advocate at KnowBe4, wrote to put the risk in the larger context of business email compromise:
In a time when Business Email Compromise (a.k.a. CEO Fraud) attacks have become a multi-billion dollar industry, any vulnerability that can provide access to an email account and associated credentials, is worth being concerned about. A compromised legitimate email account can be used to effectively spread malware throughout an organization much more effectively than a spoofed account can, by bypassing external filters, and even gives the attackers access to previous conversations that can be used to lure victims into a false sense of trust.
"In addition to the risk posed by sending attacks through a compromised account, email is the mechanism that we use to reset passwords for many of our other web services and accounts, making it an easy way to take over those accounts as well.
"To add to the concerns of a compromised account, it is common knowledge that people often reuse the same passwords in multiple places, giving the attackers an opportunity to take over accounts that are not related to the email, by simply trying the stolen credentials on other websites.
"To protect against this, organizations should consider requiring Multi-Factor Authentication (MFA) on all sensitive accounts and should ensure that employees are educated about the dangers of password reuse and of using simple passwords.
As we noted yesterday, US managed care consortium Kaiser Permanente disclosed an April employee email breach that exposed the personal medical information on nearly 70,000 of its patients. It is still unclear exactly how an unauthorized party gained access to the emails, but Gizmodo reports that Kaisers filing with the Department of Health and Human Services categorizes the breach as a Hacking/IT Incident. Kaiser, the largest hospital system in the state of California, stated in an email to customers, We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.
In other healthcare data breach news, Yuma Regional Medical Center (YRMC), a non-profit hospital facility in the US state of Arizona, has begun informing patients that the center experienced a ransomware attack. JDSupra explains that the breach was first detected when employees noticed some of the Centers systems were not functioning properly. YRMC responded by taking the systems offline and arranging an investigation with a third-party forensics firm. The acute care facility sent approximately 700,000 notification letters to impacted parties, informing them that the hospital will continue assisting patients through established back-up processes and other downtime procedures while it works to get the systems back online.
Several industry experts wrote to share their reactions to the incident in Arizona. Tim Prendergast, CEO of strongDM, noted the importance of access to successful crime. "Virtually every major security challenge from ransomware to insider threats requires one core element: access. While much has been done to address physical security and application access, there is one glaring vulnerability: infrastructure access. This gap is critical, as getting access to infrastructure is the equivalent of getting the keys to the kingdom - as the ransomware incident at Yuma Regional Medical Center illustrates. With no centralized approach to managing access across databases, servers, cloud service providers, or even newer tools like Kubernetes, CISOs will need to evaluate how they can ensure high standards of security, while not impacting existing access management processes that are already overbearing for these technologies."
Neil Jones, director of cybersecurity evangelism at Egnyte, took the occasion as an opportunity to argue for redoubled security. "The recent data breach at Yuma Regional Medical Center in Arizona spotlights the need for comprehensive ransomware detection, data security and suspicious log-in capabilities," he wrote. "According to published reports, the organization took effective action upon detection, which indicates that a meaningful incident response plan was in place. However, the affected files included sensitive information, in particular Social Security numbers. The recent convergence of Personally Identifiable Information (PII) and Protected Health Information (PHI) has made it even more important for companies to put additional safeguards in place for highly-confidential data like workers compensation reports, employees' and patients' health records and confidential test results, such as COVID-19 notifications.
Danny Lopez, CEO of Glasswall, found the incident troubling. "Organisations need to adopt robust processes for protecting sensitive information. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach," he wrote. "Attacks like these caused by illegal access demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. In a world where data can be held amongst multiple cloud providers it is crucial to strengthen all processes relating to access verification. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside."
Arti Raman, CEO and Founder of Titaniam, sees a lesson on the importance of encryption. In the recent ransomware database attack on Yuma Regional Medical Center, bad actors were able to access and steal over 700,000 patients' personally identifiable information. To minimize the risk of potential extortion and minimize lost clear text data, a data security platform, specifically data-in-use encryption, also referred to as encryption-in-use, is recommended," he wrote. "Utilizing data-in-use encryption technology provides unmatched immunity. Should adversaries break through perimeter security infrastructure and access measures, data-in-use encryption keeps the PII encrypted and protected even when it is being actively utilized. This helps neutralize all possible data-related leverage and limits the need for breach disclosure.
Paubox Unveils Zero Trust Email as Part of Its HIPAA Compliant Email Suite for Protection Against Ransomware and Phishing Attacks – GlobeNewswire
Solution uses AI for multi-factor authentication for added inbound email protection and security
SAN FRANCISCO, June 14, 2022 (GLOBE NEWSWIRE) -- Paubox today announced that its HIPAA compliant Paubox Email Suitenow features new inbound email security capabilities, including Zero Trust Email with multi-factor authentication (MFA) for added protection against ransomware and phishing attacks. Paubox is the industrys top-rated provider* of HIPAA compliant email for healthcare organizations, including hospitals, medical practices and other covered entities.
Paubox Email Suites inbound email security includes patented proactive features that stop malicious emails from reaching an inbox. With the new patent-pending Zero Trust Email capability, Paubox Email Suite now features multi-factor authentication for inbound email. A proprietary artificial intelligence (AI) algorithm built into the solution protects users against ransomware and phishing attacks. The solution requires an additional piece of evidence from the senders mail server before it passes Pauboxs inbound security checks.
Zero Trust Email adds to an already robust inbound security solution that includes the patented ExecProtect to combat display name spoofing phishing attacks, and the Blacklist Bot to automatically create email blacklist rules to help users manage unwanted spam. Those capabilities are just a few of the checks Paubox Email Suite automatically performs on every incoming email, analyzing real-time threats based on hundreds of factors, including content, attachments, links and when the senders domain was registered.
Cybersecurity is an increasing concern for healthcare organizations. According to a 2020 Frost Radar report, more than 90% of healthcare organizations have reported a security breach. At an average of $9.23 million per incident, healthcare leads as the top industry for the most expensive data breach costs.
Ransomware and phishing attacks are at an all-time high at a huge cost to healthcare providers. With our Zero Trust Email feature, our solution offers an additional line of defense in protecting customers against these unwanted attacks on their email, said Hoala Greevy, CEO and Founder of Paubox. For years, our innovative HIPAA compliant encrypted email solution has been making it easy for healthcare providers to send secure email and for patients to easily access and read those messages. Now, this new feature provides additional protection against phishing and ransomware attacks as well.
Unlike other healthcare email solutions, Paubox enables HIPAA compliant emails to arrive in a patients inbox without requiring them to log into a portal or enter a passcode to view the message. Its email solution is HITRUST CSF certified for the highest standard of security.
Greevy added, It is essential to keep PHI (protected health information) safe, but encryption doesnt have to be overly complicated with portals, plugins or random security phrases in subject lines. We have made HIPAA compliant email easy for healthcare providers to send and for patients to access and read.
Paubox encrypts all outbound email by default, so healthcare businesses dont have to worry about employees sending PHI via unencrypted messages by mistake. After it is enabled, Paubox Email Suite users can send HIPAA compliant email from any device using zero-step encryption.
Paubox had both [inbound and outbound email security] covered and provided us with proper HIPAA certification . . . [The Paubox team] worked with us to become comfortable with the encryption process, said Gary A. Powell, Founder & Executive Director, The Caregiver Foundation.
Paubox Email Suite automatically uses Transport Layer Security (TLS 1.2 or higher) as the default encryption method. TLS 1.2 or above is the NSAs recommended encryption protocol because it provides unparalleled privacy and performance compared to previous versions.
Paubox Email Suite integrates with Google Workspace, Microsoft 365, and Microsoft Exchange, so customers can send encrypted email from their existing email client, with no change in user behavior required for sender or recipient.
About Paubox
Paubox, based in San Francisco, is the leader in HIPAA compliant email solutions for healthcare organizations. Founded in 2015, Paubox is on the INC. 5000 list of fastest-growing privately owned companies. According to G2 rankings, Paubox leads the HIPAA compliant email industry for Best Email Encryption Software and Best HIPAA Compliant Messaging Software. Paubox customers include Providence, Inclusa, Easterseals and Hawaii Cancer Center. For more information, contact us at Paubox or call (415)-795-7396.
For more media information, contact:
Lisa Hendrickson, LCH Communications for Paubox
516-643-1642
*Based on G2 ratings and reviews
India urges world to act on use of VPN, crypto, encryption for terror – ETTelecom
New Delhi: India is seeking global action to counter the use of a slew of technologies including virtual private networks (VPN), end-to-end encrypted messaging services and blockchain-based technologies such as cryptocurrency by terrorists, people aware of the development told ET. This mirrors New Delhis domestic stance on the issue.
Indian officials said the anonymity, scale, speed and scope offered to (terrorists), and increasing possibility of their remaining untraceable to law enforcement agencies by using these technologies, is one of the major challenges before the world.
This was part of Indias suggestions to members of an ad hoc committee of the United Nations debating a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.
Innovative online means misusedET reviewed copies of speeches delivered by the Indian contingent. The ministry of external affairs, which led the Indian delegation, did not respond to ETs queries on the matter.
Noting that most cybercrimes are committed for economic gains, officials told the gathering that money is laundered using innovative online means, such as cryptocurrency. Often, this money movement happens in numerous countries before it is siphoned off by the perpetrators of crimes, including cyber terrorists using emerging technologies to finance terrorist activities.
The multilateral grouping was established by a resolution during the 74th session of the UN General Assembly in January 2020, as an open-ended ad hoc intergovernmental committee of experts, representative of all regions, which would discuss and decide on developing an international convention to counter global cybercrime. The committee has since met four times thrice in New York and once in Vienna.
NordVPN becomes the third VPN provider to exit India following a cybersecurity directive from CERT-In on April 28 mandating VPN companies, among others, to maintain basic information about customers including IP addresses, names, email IDs and more.
On April 28, the Indian Computer Emergency Response Team (CERT-In) issued a set of guidelines that require companies providing VPN services to keep a log of their users for five years. They are also to store information such as username, email ID used while signing up, contact numbers and internet protocol addresses.
Three VPN companies ExpressVPN, Surfshark and NordVPN have since quit India, citing their inability to continue services owing to the new CERT-In rules.
Despite the concerted pushback from VPN companies, privacy activists, tech policy groups and cybersecurity experts who argue that such provisions would breach the privacy and security of users, the Centre has remained firm on its stance.
Rajeev Chandrasekhar, minister of state for IT, had also said companies that did not want to adhere to the norms were free to leave India.
Separately, the Information Technology (IT) Rules of 2021 mandate that internet platforms that provide instant messaging services must allow for tracking the first originator of the message even when it is end-to-end encrypted. The rule is under judicial challenge at the Delhi High Court.
The decision of the ministry was conveyed to the industry as well as other stakeholders on Friday at a roundtable meeting chaired by Minister of State for Information Technology Rajeev Chandrasekhar.
At a recent press conference on CERT-In guidelines, Chandrasekhar told reporters that the government would adopt a zero-tolerance policy on anonymity being a cover for online crimes.
The production of evidence, the minister said, was an unambiguous obligation" that VPN service providers, social media intermediaries and instant messaging platforms had, and they could not then claim to not have the details that the law enforcement agency wanted because the platform was end-to-end encrypted.
Similarly, at a discussion organised by the International Monetary Fund in April, finance minister Nirmala Sitharaman stated that regulating cryptocurrencies at a global level was crucial to mitigate the risk of terror funding and money laundering.
Continue reading here:
India urges world to act on use of VPN, crypto, encryption for terror - ETTelecom
Data Encryption Strategies Become More Widespread as the Amount of Cloud-Based Data Rises – The Fintech Times
The number of organisations consistently applying a data encryption strategy has risen sharply in the space of a year, whilst many are finding it easier to locate the data they need for the job.
Organisations reporting having a consistent, enterprise-wide encryption strategy in the Middle East leapt from 29 per cent to 63 per cent between last year and this year, as many seek to have greater control over dispersed cloud-based data.
These were the primary findings of a recent survey of security and IT professionals, which was conducted by the Ponemon Institute.
The study involved 6,000 companies across various sectors and countries, including the UAE and KSA, and the response indicated that many are prioritising their digital security investments to regain control of the data amid dynamic cloud environments and increasing cybersecurity threats.
Jumping the gap
Although theyve experienced a steady level of adoption over the past few years amid the growing prevalence of cloud-based systems, encryption strategies have now become fintechs must-have item, especially so in the Middle East, where the rate of constant application within an enterprise jumped dramatically from 29 per cent to 63 per cent.
Similarly, 70 per cent of Middle East respondents rated the level of their senior leaders support for enterprise-wide encryption strategy as significant or very significant.
The data also shows a significant decrease of 39 per cent in the number of people struggling to locate the right data; being identified as one of the top challenges of planning and executing an effective data encryption strategy.
With an unprecedented amount of cybersecurity threats challenging organisations today, coupled with new and dynamic cloud environments, it has never been more important to have a company-wide encryption strategy in place, comments Hamid Qureshi, regional sales director, Middle East, Africa and South Asia at Entrust.
This [report] is telling of a new awakening to the need for more consistent and proactive data security.
While the results indicate that companies have gone from assessing the problem to acting on it, they also reveal encryption implementation gaps across many sensitive data categories.
For example, while half of the respondents in the Middle East say that encryption is extensively deployed across containers, just 31 per cent say the same for big data repositories and 32 per cent across IoT platforms.
Similarly, while 71 per cent rate hardware security modules (HSMs) as an important part of an encryption and key management strategy, 37 per cent are still lacking HSMs.
These results highlight the accelerating digital transformation underpinned by the movement to the cloud, as well as the increased focus on data protection.
Organisations seek greater control of their cloud data
The sensitive nature of the data sitting within multiple cloud environments is forcing enterprises to up their security strategy. Notably, this includes containerised applications, where the use of HSMs reached an all-time high of 35 per cent.
More than half of the reports Middle East respondents admitted that their organisations transfer sensitive or confidential data to the cloud whether or not it is encrypted or made unreadable via some other mechanism such as tokenisation or data masking.
Concerningly, an additional 23 per cent said they expect to do so in the next one to two years.
The rising adoption of multi-cloud environments, containers and serverless deployments, as well as IoT platforms, is creating a new kind of IT security headache for many organisations, added Qureshi.
This is compounded by the growth in ransomware and other cybersecurity attacks. This years study shows that organisations are responding by looking to maintain control over encrypted data rather than leaving it to platform providers to secure.
When it comes to protecting some or all of their data at rest in the cloud, 41 per cent of respondents in the Middle East said encryption is performed in the cloud using keys generated and managed by the cloud provider; an improvement from the 28 per cent recorded in 2021.
Another 32 per cent reported encryption being performed on-premises prior to sending data to the cloud using keys their organisation generates and manages, while a quarter are using some form of Bring Your Own Key (BYOK) approach. Both of these models remained at the same level as last years results.
Together, these findings indicate the benefits of cloud computing outweigh the risks associated with transferring sensitive or confidential data to the cloud, but also that encryption and data protection in the cloud is being handled more directly.
The employee threat to sensitive data
When it comes to threat sources, respondents identified employee mistakes as the top threat that might result in the exposure of sensitive data although this is down a mere two per cent from last year.
The threat from temporary or contract workers rose 10 per cent to the highest level ever recorded; reaching 42 per cent. The other highest-ranked threats identified were system or process malfunction (19%) and hackers (33 per cent).
These results make it clear that threats are coming from all directions so its distressing, but not surprising that 64 per cent of Middle East respondents admitted having suffered at least one data breach in 2020, and just about half (49 per cent) having suffered one in the last 12 months.
Over 17 years of doing this study, weve seen some fundamental shifts occur across the industry. The findings in the Entrust 2022 Global Encryption Trends study point to organisations being more proactive about cybersecurity rather than just reactive, said Dr Larry Ponemon, chairman and founder of the Ponemon Institute.
While the sentiment is a very positive one, the findings also point to an increasingly complex and dynamic IT landscape with rising risks that require a hands-on approach to data security and a pressing need to turn cybersecurity strategies into actions sooner rather than later.
As more enterprises migrate applications across multi-cloud deployments there is a need to monitor that activity to ensure enforcement of security policies and compliance with regulatory requirements. Similarly, encryption is essential for protecting company and customer data. Its encouraging to see such a significant jump in enterprise-wide adoption, said Cindy Provin, SVP for identity and data protection at Entrust.
However, managing encryption and protecting the associated keys are rising pain points as organisations engage multiple cloud services for critical functions. As the workforce becomes more transitory, organisations need a comprehensive approach to security built around identity, zero trust, and strong encryption rather than old models that rely on perimeter security and passwords.
See the rest here:
Data Encryption Strategies Become More Widespread as the Amount of Cloud-Based Data Rises - The Fintech Times