Last week, a committee of lawmakers approved a draft law to advance further in the United States (US) Senate. Called the EARN IT bill, it brings in additional obligations for tech companies, which can if the law is enacted be criminally liable for child pornography on their services.

On the surface, the law makes sense. Child pornography, or child sexual abuse material (CSAM), has found avenues to exist and proliferate, first with the arrival of the internet and then with social media, and particularly, encrypted communications.

But security technologists have compared the debate around online CSAM and the evolving argument on how to combat it to false equivalences and pedophrasty. (Lebanese-American commentator Nassim Taleb describes pedophrasty as a narrative tool in which potential harms to children are cited to diminish opposing arguments by playing to human parental instincts).

This is because, at the heart of it, the solutions being advocated to combat CSAM have to do with weakening or incentivising the weakening of end-to-end encryption, the bedrock of privacy online.

End-to-end encryption, or E2EE, is what ensures the messages we send over WhatsApp are not readable by even the company that owns the application, or how secure emails can allow scientists and government officials to exchange top secret information.

The anti-encryption narrative

The child abuse threat plugs into what is now a decades-old debate around law enforcement in the digital age. When distilled, the heart of the debate boils down to a question of which is more important: privacy or safety? In recent years, several countries notably western countries and their allies have made a case for encryption to be weakened.

Five Eyes (plus India and Japan) 2020 joint statement: The most strident of these arguments was made in an October 2020 joint statement by countries that are part of the informal grouping called the Fives Eyes nations the US, the United Kingdom (UK), Canada, Australia and New Zealand with India and Japan as co-signatories. The statement disputed the criticism that weakening or tweaking end-to-end encryption will necessarily lead to risks to cyber security and privacy.

The UKs No Place to hide 2022 campaign: In January this year, the UK Home office funded a publicity blitz opposing ultra-secure messaging applications, particularly Facebooks plans to enforce E2EE on its Messenger application. Launching the campaign, a spokesperson said E2EE will amount to turning the lights off on the ability to identify child sex abusers online, the BBC reported at the time.

Indias 2021 IT Rules: In February, the government unveiled the new Information Technology rules for social media companies and online publishers. Among these was an obligation on communication services providers to allow for the identification of who sent a particular message for the first time a feature that will not be possible within the design of E2EE. The rules have since been suspended by multiple high courts, and among the first legal challenges to it came from WhatsApp, which likened the rules to effectively putting all users under a surveillance mechanism. The rules themselves followed a 2020 report by a parliamentary committee that wanted encryption to be broken in order to combat CSAM abuses.

The EARN IT act, while not explicitly attacking encryption, will in effect incentivise companies to build mechanisms that are outside of the E2EE paradigm, online advocacy groups have said, while adding that it will do little to combat the actual problem it is intended to.

Is E2EE absolutely indispensable?

To understand the role of encryption today is to revisit the events of 2013, when US National Security Agency contractor Edward Snowden blew the whistle on a planet-scale digital surveillance dragnet run by the US and the UK, which pored over all unencrypted internet traffic. This dragnet at the time allowed these countries to spy on anyone, irrespective of whether or not they were a threat, to peak into their communications as well as access their devices.

Within months, tech companies responded to begin a shift to encryption by default. The HTTPS (or a closed padlock) that you see at the top of your browser while you read this article is a direct outcome of that push. HTTPS implies your connection to the Hindustan Times website is encrypted, meaning anyone intercepting your network traffic will not be able to determine what you are reading.

Since then, E2EE has helped protect liberties and allowed essential functions like e-commerce to be carried out with better security. These are functions that are arguably improved by the current paradigm of encryption in the global internet. And experts point out that in its absence, there is a threat not just to the individual but to national security.

E2EE and CSAM rise: A tenuous connection?

In response to the No Place to Hide campaign, the UKs own data watchdog has said that encryption helps protect children more than it harms them. Stephen Bonner, the British Information Commissioners Office executive director for innovation and technology, told BBC that end-to-end encryption helped keep children safe online by not allowing "criminals and abusers to send them harmful content or access their pictures or location".

"The discussion on end-to-end encryption use is too unbalanced to make a wise and informed choice. There is too much focus on the costs without also weighing up the significant benefits," he said.

In Analysing the National Security Implications of Weakening Encryption, researchers at Indian policy thinktank Deepstrat framed the debate around E2EE not just as a matter of security versus privacy, but also one involving security versus security.

They account for the nature of modern devices and communication architectures, as well as the nature of cybersecurity threats.

Take some of the specific anti-encryption solutions to the CSAM problem that has been advocated recently. Client-side scanning, similar to what Apple attempted to do by scanning a fingerprint of images people store on their iPhones or Mac computers, will for example set the foundation for China model of surveillance, which can be theoretically tweaked to identify any content on anyones device.

Then there is the traceability requirement that India proposes. DeepStrats report identified its flaws as being fundamentally against the nature of E2EE and creating architectural vulnerabilities that can be exploited by bad actors. Another common idea, to create backdoors for law-enforcement agencies, poses a very significant risk that malicious hackers will find it and wield it, if not unaccounted state agents themselves in an abuse of power.

The risks are not merely theoretical: there is evidence and history. For example, in 2010, China-based hackers broke into Gmail, leveraging backdoors coded in to allow lawful interceptions. Prior to that, between 2004 and 2005, phones of the Greek prime minister and his aides were tapped when an unknown attacker found backdoors built by telecommunications company Ericsson to, again, allow for lawful interception.

Official misuses are bad enough, but it's the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't, wrote security expert Bruce Schneier, in a 2020 opinion piece for CNN.

Tinkering with E2EE, thus, requires an appreciation of all that is at stake. There have been instances where tech companies have aided law enforcement in taking more offensive measures against child sex abusers, such as the revelations in 2020 when it came to light that Facebook spent money and resource to develop hacking tools to help the FBI catch a notorious abuser.

Indeed, such examples are uncomfortably few and far in between, and the threat from CSAM large. It may be time to look at the problem beyond being that of E2EE alone but of efforts by tech companies and governments alike.

In Perspective takes a deep dive into current issues, the visible and invisible factors at play, and their implications for our future

The views expressed are personal

Read more:
In Perspective | Online child safety and the dangers of false equivalence - Hindustan Times

As I discussed last month, unless we take actions soon, a tremendous amount of data that is today protected through the use of encryption will become vulnerable to exposure.

The reason that such a major threat exists is simple much of todays data relies on the security of what are known as asymmetric encryption algorithms, and such algorithms rely for their security on the fact that the mathematics that they use to encrypt cannot easily be reversed in order to decrypt. (For those interested in the details: the most common difficult-to-reverse mathematics employed by asymmetric encryption systems are integer factorization, discrete logarithms, and elliptic-curve discrete logarithms).

While todays computers cannot efficiently crack asymmetric encryption through the use of brute force trying all possible values in order to discover a correct key could literally take centuries, and there are no shortcuts to doing so we have already seen the dawn of so-called quantum computers devices that leverage advanced physics to perform computing functions on large sets of data in super-efficient ways that are completely unachievable with classic computers. While it has long been believed that quantum computers could potentially undermine the integrity of various forms of encryption, in 1994, an American mathematician by the name of Peter Shor showed how a quantum algorithm could quickly solve integer factorization problems transforming a theoretical risk into a time bomb. It became clear then that a powerful quantum computer utilizing Shors Algorithm could both make mincemeat out of modern encryption systems, as well as trivialize the performance of various other forms of complex math and, since then, we have already seen this happen. Just a few years ago, Googles early-generation quantum computer, Sycamore, for example, performed a calculation in 200 seconds that many experts believe would have taken the worlds then-most-powerful-classic-supercomputer, IBM Summit, somewhere between multiple days and multiple millennia to complete. Yes, 200 seconds for a de facto prototype vs multiple millennia for a mature super computer.

To protect data in the quantum computing era, therefore, we must change how we encrypt. To help the world achieve such an objective, the US National Institute of Standards and Technology (NIST) has been running a competition since 2016 to develop new quantum-proof standards for cryptography winners are expected to be announced sometime in the next year, and multiple approaches are expected to be endorsed.

Some quantum-safe encryption methods that appear to be among the likely candidates to be selected by NIST employ what are known as lattice approaches employing math that, at least as of today, we do not know how to undermine with quantum algorithms. While lattice approaches are likely to prove popular methods of addressing quantum supremacy in the near term, there is concern that some of their security might stem from their newness, and, that over time, mathematicians may discover quantum algorithms that render them potentially crackable.

Other candidates for NISTs approval utilize what is known as code-based encryption a time-tested method introduced in 1978 by Caltech Professor of Engineering, Robert McEliece; code-based encryption employs an error-correcting code, keys modified with linear transformations, and random junk data; while it is simple for parties with the decryption keys to remove the junk and decrypt, unauthorized parties seeking to decrypt face a huge challenge that remains effectively unsolvable by quantum algorithms, even after decades of analysis.

NISTs candidates also utilize various other encryption approaches that, at least as of now, appear to be quantum safe.

Of course, security is not the only factor when it comes to deciding how to encrypt practicality plays a big role as well. Any quantum-safe encryption approach that is going to be successful must be usable by the masses; especially as the world experiences the proliferation of smart devices constrained by minimal processing power, memory, and bandwidth, mathematical complexity and/or large minimum key sizes can render useless otherwise great encryption options.

In short, many of todays popular asymmetric encryption methods (RSA, ECC, etc.) will be easily crackable by quantum computers in the not-so-distant future. (Modern asymmetric systems typically use asymmetric encryption to exchange keys that are then used for symmetric encryption if the asymmetric part is not secure, the symmetric part is not either.) To address such risks we have quantum-safe encryption, a term that refers to encryption algorithms and systems, many of which already exist, that are believed to be resilient to cracking attempts performed by quantum computers.

While NIST is working on establishing preferred methods of quantum-safe encryption, sensitive data is already, now, being put at risk by quantum supremacy; as such, for many organizations, waiting for NIST may turn out to be a costly mistake. Additionally, the likely rush to retrofit existing systems with new encryption methods once NIST does produce recommendations may drive up the costs of related projects in terms of both time and money. With quantum-safe encryption solutions that leverage approaches submitted to NIST already available and running on todays computers, the time to start thinking about quantum risks is not somewhere down the road, but now.

This post is sponsored byIronCAP. Please click the link to learn more about IronCAPs patent protected methods of keeping data safe against not only against todays cyberattacks, but also against future attacks from quantum computers.

See original here:
Which Types Of Encryption Will Remain Secure As Quantum Computing Develops - And Which Popular Ones Will Not - Joseph Steinberg

Cyber attacks spring from every conceivable angle in the data center, but multiple improved and new Windows Server 2022 network security features aim to thwart these breach attempts.

The last several years have seen numerous data breaches across organizations of all sizes, underscoring the need for better network security. Due to the prominence of Windows Server as a key component in enterprise infrastructure, it's critical to implement any means at the administrator's disposal to reduce the chance of falling victim to an intrusion. For organizations that want to improve their defensive posture, using Windows Server 2022's improved network security features can help limit their exposure to a wide range of attacks.

In addition to its secured-core server defensive measures, one of the biggest security improvements Microsoft added to Windows Server 2022 is native support for Transport Layer Security (TLS) 1.3, which was released in 2018. This latest version of the protocol used to encrypt network traffic addresses the vulnerabilities found in TLS 1.2 and provides better performance, particularly during the handshake process.

Microsoft enabled TLS 1.3 by default in Windows Server 2022, but the operating system can still use earlier TLS versions to accommodate incompatible clients.

HTTP has been around since 1989. Developed to transfer content from the World Wide Web to clients, its creators might not have foreseen the rapid pace of its adoption. The last major update to HTTP in 2016 addressed security and performance concerns and now the third revision HTTP/3 has been implemented in Windows Server 2022.

HTTP/3 is currently in development but is already in use by Google and Facebook. HTTP/3 uses the QUIC transport protocol based on the User Datagram Protocol. In addition to better performance, HTTP/3 uses encryption by default to maintain a secure connection.

Enabling HTTP/3 requires adding the following registry key:

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesHTTPParameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

Microsoft recommends administrators configure the Windows Web service to advertise the availability of the service via HTTP/3. Clients that connect with an older protocol will be notified of HTTP/3 support and switch to the more secure protocol. To enable HTTP/3 advertisement, add the following registry key:

"HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesHTTPParameters" /v EnableAltSvc /t REG_DWORD /d 1 /f

Reboot the server to make the registry keys take effect.

Microsoft enhanced Windows Server 2022 network security with support for Secure DNS, which is an industry standard that goes by a variety of other names such as DNS-over-HTTPS (DoH).

DoH keeps DNS queries private. If someone monitors network traffic, they will see DNS queries being made, but the contents of those queries will be hidden. Some organizations use Secure DNS to conceal their online activities from the ISP. Secure DNS can also help to prevent DNS manipulation attacks.

Organizations should consider whether it is in their best interest to use Secure DNS. While there are security benefits, Secure DNS can also make it more difficult to detect malicious activity from the network because it will mask DNS queries generated by those attacks.

SMB encryption encrypts Server Message Block (SMB) traffic across the network. SMB is the protocol that Windows devices use to access Windows file shares. SMB is also commonly used for connectivity to NAS appliances and other storage arrays.

Microsoft added SMB encryption to Windows Server 2012 and enhanced it in Windows Server 2022 by adding support for both AES-256-GCM and AES-256-CCM encryption.

Admins turn on SMB encryption from the Windows Admin Center by connecting to the server hosting an SMB share, clicking on Files and File Sharing, followed by the File Shares tab. From there, select the share to encrypt and check Enable SMB encryption.

To do the same procedure but from PowerShell, enter the following command to use SMB encryption on a Windows file share:

Set-SmbShare Name -EncryptData $true

When using SMB encryption, understand the difference between enabling and requiring SMB encryption. Enabling means clients that connect to an SMB share will use encryption if possible while requiring SMB encryption will reject any non-encrypted connections.

Windows Server 2022 and Windows 11 are currently the only Windows operating systems that support AES-256 encryption. Older Windows clients that connect to an SMB share hosted on a Windows Server 2022 host will revert to an older encryption standard, such as AES-128.

Windows Server 2022 also supports SMB encryption for east-west traffic, which refers to the SMB traffic that flows between Windows failover cluster nodes and a cluster shared volume. If the failover cluster uses Storage Spaces Direct, then this option allows the encryption of cluster communications for better overall security.

The easiest way to force a cluster node to encrypt all SMB traffic is to enter the following command into PowerShell:

Set-SMBServerConfiguration -EncryptData $True -Force

Verify the operation was successful by checking the EncryptData value after running the Get-SMBServerConfiguration command.

Microsoft developed support for encryption with SMB Direct in Windows Server 2022. This protocol uses Remote Data Memory Access (RDMA) to transfer large amounts of data without the CPU overhead normally required for these types of operations.

In previous Windows Server versions, enabling SMB encryption disabled direct data placement, which resulted in significantly slower SMB Direct performance making it on par with a normal SMB session. Microsoft addressed this issue in Windows Server 2022 to give organizations high-speed encrypted transfers by encrypting the data prior to placement. While the encryption process does require some CPU resources, the performance impact is typically very minor.

Microsoft covers these SMB improvements at the following link.

Originally posted here:
Network security gets a boost in Windows Server 2022 - TechTarget

We have collected the most important news from the world of cybersecurity for the week.

Bitdefender experts have discovered a new BHUNT malware aimed at stealing cryptocurrency wallet funds, passwords, and seed phrases.

The malware can also steal cookies and other confidential information stored in the cache of Chrome and Firefox browsers.

Bitdefender urged never to download software from untrusted sources and install updates in a timely manner.

Personal data 515,000 people were compromised in an attack on the servers of the International Committee of the Red Cross.

Most of the data belongs to people in extremely vulnerable separated from their families due to military conflicts, migration and natural disasters, missing persons and their families, as well as persons in custody.

Who is behind the attack is unknown. The Red Cross urged hackers to do the right thing do not sell or distribute the information received.

The UK government will launch an advertising attack to end-to-end encryption, according to Rolling Stone. The main goal is to turn the public against Meta (formerly Facebook)'s decision to implement encryption in Messenger.

The UK Home Office hired advertising agency M&C Saatchi to implement this initiative.

The main argument of law enforcement officers against end-to-end encryption is a potential threat to the safety of children and the complication of identifying intruders. Due to these concerns, Meta has been forced to delay its default rollout on its Messenger and Instagram until 2023.

Through trackers embedded in emails, third parties can access the recipient's data, including their location, ProtonMail clarified.

During the detention of those suspected of participating in the REvil hacker group, Russian law enforcement officers arrested one of the people responsible for hacking the Colonial Pipeline company. This is reported by The Washington Post, citing sources.

Recall that last year Colonial Pipeline was attacked by a ransomware virus that stole about 100 GB of data and blocked computer systems. The attack was blamed on the DarkSide group, the hackers were linked to Russia.

Colonial Pipeline paid the attackers 75 BTC to restore work and return data.

Later, the FBI returned 63.7 BTC from the ransom paid by the company. It is not known how the agency gained access to the bitcoin wallet.

In January 2021, the FSB announced the detention of 14 members of the REvil group after an appeal from the United States.

In Brazil, the Telegram messenger is allowed to be blocked due to fears of the spread of fake news during the elections in October 2022, Valor Economico reports.

The head of the Supreme Electoral Court, Roberto Barroso, tried to contact the founder of the service, Pavel Durov, to discuss cooperation in but received no response.

Brazil has already concluded similar agreements with Twitter, Facebook and WhatsApp.

Also on ForkLog:

REvil is considered one of the largest groups behind the spread of ransomware viruses, and therefore the detention of its alleged members caused a great outcry. Last year, everyone was talking about ransomware, from cybersecurity experts and the media to government authorities.

We tell you what the threat from ransomware is and what consequences it will have for the cryptocurrency industry.

Ransomware pandemic: what is causing the wave of hacker attacks and how it will affect bitcoin

Read the original:
Attack on the Red Cross, UK against end-to-end encryption and other cybersecurity developments - The Times Hub

The White House issued a memo today that gives the National Security Agency (NSA) more authority over protecting national security systems and seeks to better position the Department of Defense (DoD) and intelligence agencies to handle a range of digital national security threats targeting cloud systems and outdated encryption standards.

The memo places the NSA in a role similar to the one the Cybersecurity and Infrastructure Security Agency (CISA) plays among federal civilian agencies. The agency will now have the authority to issue emergency and binding directives that require agencies to take discrete actions on cybersecurity problems or emerging threats.

While each agency will still ultimately be responsible for protecting their sensitive systems and data, it gives the director of the NSA wide latitude to designate what constitutes a national security system at other defense and intelligence agencies, examine systems for security controls and incident response and issue new requirements or activities meant to shore up cybersecurity.

It also establishes the NSA as the focal point for visibility over cybersecurity threats that affect military and intelligence systems. Within two months, the NSA will issue a directive ordering agencies to send relevant information for any and all cross domain solutions or systems that connect to other systems with different levels of classification. Agencies will send logs, IT asset inventories, patching history and other information to the NSA, who will serve as the principal advisor for all such actions.

The memo also puts responsibility on DoD, the FBI, the CIA and the Office of the Director of National Intelligence to flesh out a framework for conducting incident response activities on national security systems and requires any breach to be reported to the NSA.

The order lays out a number of timelines for military and intelligence agencies to follow.

By March, each agency with systems that handle sensitive or classified national security data must update their plans around zero trust and cloud adoption. By April, the Committee on National Security Systems must establish minimum security controls for national security IT systems that are migrated to the cloud. Agencies must also confirm that all national security system data are using multifactor authentication and encryption protocols for, both for data-at-rest and in transit, by July.

On the encryption side, the NSA has been at the forefront of implementing new encryption protocols that can withstand potential attacks from quantum computers in the future. The memo puts the NSA in the driver's seat of implementing similar transformations across the national security space, including contractors. Defense and intel agencies will have six months to map out any systems that are not-compliant or using NSA approved algorithms and establish timelines for replacing them.

A House report on the National Defense Authorization Act last September explicitly floated giving the NSA the authority to issue binding operational directives, saying that while current law allows the Joint Functional Headquarters-Department of Defense Information Network agencies to direct required actions to the majority of the federal government, there appear to be impediments to a comparable authority over National Security Systems.

At the time, one former NSA employee told SC Media that it would depend on the specifics but if granted, he expected such authorities to be used not only to defend U.S. government networks, but also enhance intelligence collection against the foreign adversaries targeting them.

"No federal agency has ever said, Please dont give us an authority, and intelligence agencies are certainly no exception, said Jake Williams, a former NSA hacker and chief technology officer at BreachQuest. "Intelligence agencies only operate within the authorities theyre granted and certainly any BODs given to NSA will be used to enhance the intelligence mission.

Sen. Mark Warner, D-Va., praised the move in a statement and pointed to the requirement that agencies report hacks to the NSA, calling for Congress to pass legislation he authored imposing similar requirements on critical infrastructure. A bill to do so was stripped out of last year's NDAA, but sources in Congress have told SC Media that they are eyeing a number of possible legislative vehicles, including an upcoming government spending bill due in February and as a rider to the United States Innovation and Competition Act, to get it passed into law.

"Now its time for Congress to act by passing our bipartisan legislationthat would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours," Warner said.

Read more here:
NSA gains new cybersecurity authorities over national security systems - SC Media