Category Archives: Encryption
Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores – PR Web
Bluefin and our partners have been laser-focused on introducing a complete P2PE solution that is acquirer-agnostic, will work within the complexities of processing and routing transactions, and can be implemented throughout the fuel environment," Greg Cornwell, Chief Revenue Officer, Bluefin.
ATLANTA (PRWEB) October 04, 2021
Bluefin, the recognized integrated payments leader in encryption and tokenization technologies to protect payments and sensitive data, has issued a new payment security brief, P2PE for Petroleum and C-Stores: Bluefin Industry Partner and Payment Security Solution.
The security brief provides an overview of the petroleum environment, including the major manufacturers, hardware and software providers and their roles, and the complexities of fuel merchant processing. It also details the payment security features needed by petroleum and convenience stores (C-stores) and merchants, including PCI-validated point-to-point encryption (P2PE).
The brief also discusses the first true PCI-validated P2PE solution utilizing Bluefins Decryptx P2PE product and those from industry partners including Allied Electronics, NCR, Transaction Network Services (TNS) and Comdata that will encrypt payment data not only at the pump, but also within the C-store environment, for major petroleum merchants.
While EMV and P2PE have been widely adopted in industries like higher education and healthcare, petroleum has been slow to implement new payment security initiatives, which has resulted in several high-profile data compromises in this sector, said Greg Cornwell, Chief Revenue Officer, Bluefin. Bluefin and our partners have been laser-focused on introducing a complete P2PE solution that is acquirer-agnostic, will work within the complexities of processing and routing transactions, and can be implemented throughout the fuel environment from the pump, to in-store, to the car wash, and to mobile and curbside pickups.
Bluefin was the first North American provider of a PCI-validated P2PE solution in 2014 for the immediate encryption of point-of-sale (POS) payments. PCI P2PE provides numerous benefits, including cost savings, PCI scope reduction and brand protection.
Part of the issue that you see with fuel merchants is that, until now, there hasnt been a PCI-validated P2PE solution that could work within the constraints of the fuel environment, said Ruston Miles, Founder, Bluefin. Many fuel merchants have multiple brands under their banner and could have one group processing with one payment acquirer, another group processing with a different acquirer, and a third group with a different acquirer with each of the three having a different mix of vendors, payment terminals and more. All of these formulations had to be taken into account by Bluefin and our partners when developing this solution.
We could not be any more excited to bring the security of PCI-validated P2PE to the petroleum industry and C-stores, added Miles.
The brief can be downloaded from Bluefins website.
About Bluefin
Bluefin is the recognized integrated payments leader in encryption and tokenization technologies to protect payments and sensitive data. Our product suite includes solutions for contactless face-to-face, call center, mobile, Ecommerce and unattended payments and data in the healthcare, higher education, government and non-profit industries. The companys partner network currently includes over 200 processors, payment gateways and ISVs operating in 45 countries. Bluefin is a Participating Organization (PO) of the PCI Security Standards Council (SSC) and is headquartered in Atlanta, with offices in Waterford, Ireland. For more information, please visit http://www.bluefin.com.
Share article on social media or email:
Excerpt from:
Bluefin Issues New Payment Security Brief on PCI-validated P2PE for Petroleum and Convenience Stores - PR Web
Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 – ZDNet
With the frequency and severity of malware attacks growing practically every day, the files and folders on our computers have never been more at risk. Sure, there have been solutions for strong protection available, but they tend to be so cumbersome and inconvenient to use that few of us would bother. Fortunately, a lifetime subscription to the powerful yet easy-to-use GhostVolt Encryption Software is currently very affordable.
GhostVolt will automatically add enterprise-level 256-bit AES encryption to your data and permanently maintains it on your computer or home network. For added security, the program will automatically log you out after a period of inactivity. It will even check your passwords against over 600 million exposed ones.
File management couldn't be easier since the app is designed just like your regular file explorer, so there's no learning curve. You can just add your files and folders as you normally would, and they will also be automatically re-encrypted after any editing. You can both preview and share files securely.
Many convenience features are built-in, including integration with Microsoft OneDrive, light and dark modes, backup encryption keys, and more. The program is multilingual, as well, for English, Spanish, French, German, Italian, and Portuguese. Users are really satisfied with GhostVolt, rating it 4.3 out of 5 stars on TrustPilot and 4.7 out of 5 stars on Softpedia.
If you tend to use a laptop more often than a desktop and spend any time at all on public Wi-Fi networks, and want to take even further precautions, you might like this powerful VPN bundled with two extra displays. But GhostVolt will offer you the ultimate in privacy and protection against data or identity theft. Because the encryption will completely obscure all of your personal information, so it will be unreadable to criminals even if it is stolen, hacked, or breached.
You really don't want to pass up this opportunity to protect all of your most sensitive files when it is so easy and affordable to do; getGhostVolt Encryption Software: Lifetime Subscription while it is on sale for only $29.99.
Read more here:
Get a lifetime of easy, automatic encryption for all of the files on your computer for just $30 - ZDNet
Tide encryption is ready to end the cyber breach pandemic – TechCrunch
The global pandemic, along with the digital transformation it accelerated, broadened corporate attack surfaces exponentially. As a result, there were almost 1,800 publicly reported data breaches in the first six months of 2021 alone, accounting for the exposure of 18.8 billion records. Among these were devastating, large-scale breaches of consumer names, contact details and financial records, such as the ongoing Accellion compromise that has impacted over 100 companies, organizations and government agencies, and the recent T-Mobile breach that exposed the details of 47 million customers.
Tide Foundation, a Sydney-based, five-person startup competing in TechCrunch Disrupt Startup Battlefield this week, claims that its first-of-its-kind encryption protocol could make this so-called cyber breach pandemic a tagline the nonprofit was using before the global crisis struck a thing of the past.
However, tackling cybercrime hasnt always been the mission of Tide co-founders Michael Loewy and Yuval Hertzog. In fact, the startup was born out of the teams prior business, a marketing platform called Ziva that helped to connect enterprises with consumers over Internet of Things (IoT) devices. While the business grew quickly, attracting a number of big-name enterprise clients, Ziva soon ran into a privacy problem when architecting a campaign for Kelloggs. The campaign in question was a Special K Fitness Challenge, with participants sharing data from wearables with rewards based on the number of kilometers completed.
We collected accounts of tens of thousands of people, and we knew everything about their lives way beyond what they knew themselves; their habits, health and even their nutrition, said Hertzog, who runs the technology side of the startup. This was a treasure trove for enterprises, but we couldnt avoid the fact that were sitting on very sensitive information.
Tide realized that it needed to safeguard this data but failed to find an existing solution that ticked all of the boxes. Thats when Tide, a blockchain-based encryption method, was masterminded.
The protocol, which the startup claims is the first true zero trust authentication method, can be deployed into an organization to encrypt sensitive data, such as customer records and financial information. Each record has its own encryption key, and each key is controlled by a decentralized guardian.
No one has nailed a proper zero trust model, because no one really has zero in their trust model. We are the only one offering an entirely zero trust model, said Loewy.
Tide founders, L-R Dominique Valladolid, Michael Loewy and Yuval Hertzog. Image Credits: Tide Foundation
Its virtually impossible to hack, too, according to the startup. The key issplit between a group of nodes, and no node has access to or knowledge of the whole key, or the authority to act on its own. This makes malicious access to your key almost impossible.
When not if you hack it, you have to invest resources to hack at least 20 computers, at 20 locations around the world, and even then you reach a fraction of the data you are after, said Hertzog, adding that while Tide has worked to make its technology hacker-proof, its also been keen to ensure it passes the grandpa test.
This link between the human world and the computer world is very challenging. We put a lot of effort into human interaction, and we built a way for human beings to engage with the system through the simplest mechanism that exists today, which is username and password, said Hertzog. Its definitely not foolproof, but at least with us, its billions of times harder to attack you using a password. Saying that, our technology starts with supporting usernames and passwords, but it can support biometric authentication.
To date, the Tide Foundation has raised the equivalent of $2 million, primarily from Angel investors, and the five-year-old startup has also secured the backing of some big names in the cybersecurity world. Willy Susilo, a distinguished professor at the School of Computing and Information Technology in Wollongong, Australia,is an adviser to the company, alongside the likes of formerMicrosoft director Peter Ostick and Tom Dery, former global chairman of M&C Saatchi.
The well-supported startup is now focused on getting Tide out to the market, and as a result of the pandemic and the cybersecurity chaos that ensued, its already in demand.
We were talking to companies abut privacy and protection before the pandemic, and the response we got was that if we get hacked, were in good company, Hertzog said. The conversation changes after COVID. Weve been chased down by the academic world, healthcare, law practices and critical infrastructure an entire area that is completely exposed.
Read more from the original source:
Tide encryption is ready to end the cyber breach pandemic - TechCrunch
Braves non-tracking, browser-based video conferencing tool is out of beta – TechCrunch
Brave, the startup behind the eponymous non-tracking browser, has launched a non-tracking video conferencing add-on out of beta letting all users make and receive video calls straight from their browser.
The tool, called Brave Talk, has been in beta testing since May last year. And Brave told us its had some 14,000 daily active users over this period aka, earlier adopters and developers tapping in via Braves test version.
Now its been made open access with Brave making a pitch to internet users of privacy-focused video conferencing.
Many other video conferencing providers, including Zoom, monitor calls, metadata, and images, and the records of that data can be sold or shared without user consent, it writes in a blog post announcing the wider launch.
Brave Talk users can enable multiple layers of encryption on calls, so an eavesdropper cannot listen in on users calls, and our servers dont save metadata, so calls, images, and activities are never recorded or shared without user consent, it adds.
The video calling software is a subscription offering costing $7 per month for premium features (like group calls and call recording) but basic one-to-one calls are free and unlimited. (NB: Braves Android and iOS apps only currently offer Brave Talk Premium but will have the free version too in the coming weeks).
Users initiating a video call must do so from within the Brave browser; however, recipients need only be using any modern browser (so basically Chrome, Firefox, Safari, Edge, Opera etc.) to participate in a video chat.
While Brave is touting its non-tracking credentials as a differentiating plus for the video conferencing software versus mainstream players like Zoom, its worth noting that Brave Talk does not (yet) have end-to-end encryption rolled out.
Brave says its using the Jitsi as a Service open source video meeting platform from 88 which relies on WebRTC open source technology to enable developers to embed HD video directly into the browser.
On encryption it says users can enable different layers in the settings. It describes the current strongest level of encryption available in both free and premium versions of Brave Talk as Video Bridge Encryption.
This setting ensures that the video and audio streams are encrypted using keys generated by the participants, which prevents eavesdropping on the Video Bridge Server, said co-founder and CEO Brendan Eich. Video Bridge Encryption can be enabled under Security Options.
Because we find the phrase end to end encryption to be confusing and overloaded, Brave Talk refers to the setting as Video Bridge Encryption, he also told us, adding: End to end encrypted calls are just one dimension of privacy and security when participating in video calls. Even when using encryption, most of the Big Tech video tools actively collect and store data about your call: Who the participants were, when the call took place and for how long, and a host of other information.
The anonymous credential system employed by Brave Talk ensures that we dont know who users are and who they are talking to, and we cant link them across sessions. Brave Talk is a privacy-by-default tool that does not track users.
Pushed for more clarity on the difference between Video Bridge Encryption (VBE) and E2EE, he also told TechCrunch: The reason that we refer to it as Video Bridge Encryption and not End to End Encryption is that, while VBE does ensure that audio and video remain encrypted from Brave, 88, and any other passive eavesdroppers, we are still working with 88 on a way to make this more robust against active attackers by automatically authenticating meeting participants.
When that work is complete, we will feel comfortable introducing it as full end to end encryption, and it will provide significant advantages over platforms like Zoom, which require participants to read a security code out loud to confirm end to end encryption is working.
Internet users wanting to kick the tyres of Brave Talk which was previously called Brave Together will first need to download the Brave browser in order to initiate a call. Receiving calls doesnt require using Brave, as mentioned earlier.
Per Eich, Brave recently passed 36 million monthly active users across its suite of anti-tracking products which also includes a search engine and a Firewall+VPN.
Read the original here:
Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch
The FBI has kept the presence of the encryption key secret from Casey for three weeks. – Cheraw Chronicle
The FBI has kept the cryptocurrency secret for almost three weeks. The Washington Post writes.
Casey, a management software developer who was the victim of a major Revel ransomware attack in early July, said in the fourth week of July that it had a global key to share with its customers. The cyber attack, which spread through Kasia VSAs software in early July, affected more than a thousand companies worldwide.
The hackers entered a vulnerable spot in the software and were able to take hostages of more than a thousand company systems. The hackers demanded $ 70 million to release the keys that would allow the victim to regain access to their files. In Sweden, among other things, 800 coupe supermarkets had to close because cash register systems no longer work due to the hack.
The key was reportedly obtained by the FBI in early July, but was not shared with other parties until three weeks later. No FBI Director Christopher Wray confirmed Tuesday. The key was obtained by accessing the servers of the Russian-based criminal gang behind the attack. Immediate sharing helped save millions of dollars in recovery costs for victims, including schools and hospitals.
But the FBI had the keys with the consent of other companies. Reeve planned to launch an operation to deal with the hackers so that service would not stop them. Furthermore, the government assessment found that the damage was not as severe as initially feared. The hacker groups planned removal eventually did not happen because Revils site went offline in mid July without US government intervention and the hackers disappeared before the FBI could implement its plan.
The FBI finally shared the key with Casey July 21-19. Kasaya immediately asked New Zealand-based security firm MCSoft to develop a new encryption tool, which Kasaya released the next day.
After the Russian hacking group disappeared from the Internet, Revil suddenly appeared on the Internet earlier this month. Meanwhile, the group is said to have carried out several new hacking attacks.
5 ways to stay ahead of government-targeted ransomware – GCN.com
INDUSTRY INSIGHT
It is no surprise that governments around the world are among the most highly targeted and impacted victims of ransomware. Last years SolarWinds data breach in the U.S. was a reminder of the ability of cyberattacks to penetrate public-sector agencies and unleash damage across a federal agencies.
According to new independent research from Sophos, over the past year, 40% of central governments and non-departmental public bodies across the globe were attacked by ransomware. This put central governments and NDPBs fourth in a ranking of industries most afflicted by ransomware, surpassed only by retail, education and business/professional services. Considering that federal governments employ trained IT staff, the fact that four in 10 were unable to stop a ransomware attack speaks to the ability of cyber attackers to penetrate even the best defenses. More than one-third (34%) of local governments also reported experiencing a ransomware attack over the past year curious, considering that local government agencies would presumably have a fewer resources to defend their systems.
Extortion-style ransomware disproportionately aimed at central governments
One disturbing trend seen in ransomware over the past year has been the emergence of extortion-style attacks. Ransomware typically involves encrypting a victims data and then exchanging the decryption key for payment. Lately, extortion-style attacks where the attacker steals the data rather than encrypting it and threatens to release it (either to the dark web or to the public) in exchange for a ransom payment have started to pick up steam.
This is especially acute in the government sector. Central governments and NDPBs experience extortion-style ransomware at nearly double the rate of all industries. That said, encryption-based attacks still remain the most dominant strain of ransomware, comprising almost half (49%) of attacks faced by central government and NDPBs.
In ransomware attacks against local governments, 69% of victims saw their data encrypted a staggering 20 points greater than what central governments had experienced. These numbers point to an interesting split: Ransomware attacks against central governments are slowly moving from encryption-style to extortion-style attacks, while encryption-based attacks against local governments remain extremely high and extortion-based attacks rare (2%). This difference may be because central governments have relatively higher-value data to steal and hold for extortion, and local government agencies, on the other hand, dont have the kind of national secrets that central governments do, perhaps sparking less interest among attackers.
Why its not worth paying the ransom
In the heat of a ransomware attack, its easy to see why just paying the ransom to get data back (or prevent public release) can feel like the path of least resistance. Thats what attackers are counting on, after all. But its not necessary. The survey reveals that most (61%) central governments and NDPBs hit with ransomware restored their data from backups. Only 26% ended up paying the ransom to get their data back. In total, nearly all (96%) of central government victims ended up with their data restored. These findings speak to both the need to back up data proactively and how unnecessary it is to pay the ransom to get data returned.
The findings may also point to central governments awareness about data backups that may not be shared by their smaller counterparts. Among local government organizations that were hit by ransomware, there was an even split between those who restored data through backups and those who paid ransoms to get their data back 42% for both indicating that smaller agencies perhaps have a greater need to pay ransoms in order to restore their data, as well as a lack of backups to draw from.
Five ways to stay ahead of government-targeted ransomware
Governments are some of the least prepared organizations in the world to recover from a major malware incident like ransomware. Among all industries surveyed on their malware incident recovery planning preparedness, both central and local governments ranked at the bottom of the list. This cannot continue to be the status quo particularly when so many central and local governments have either been attacked by ransomware already or expect to be attacked in the future.
Staying ahead of the ransomware curve calls for more preparedness. Here are five easy steps that central and local government agencies take now to mitigate the probability of a ransomware attack and improve their chances of recovering from one.
About the Author
Dan Schiappa is the chief product officer at Sophos.
Read the original here:
5 ways to stay ahead of government-targeted ransomware - GCN.com
Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -…
The business report delivered by Zion Market Research on Global Encryption Software Market What Industry Holds for the Future post Covid? Development Analysis and Complete Insights 2020 2026 is engaged to work with a profound comprehension of the market definition, potential, and extension. The report is minister after profound examination and investigation by specialists. It comprises of a coordinated and precise clarification of current market patterns to help the clients to involve inside and out market investigation. The report includes an extensive appraisal of various techniques like consolidations and acquisitions, item advancements, and exploration and improvements embraced by noticeable market pioneers to remain at the bleeding edge in the worldwide market.
Key participants for business development are BM, Microsoft, Sophos ltd, Gemalto, Net App Inc, Hewlett- Packard, Vormetric, Oracle, Intel and Symantec
Sample Copy of The Encryption Software MarketReport:https://www.zionmarketresearch.com/sample/encryption-software-market
The Encryption Software Market Report is a straightforward record introducing segment by-area insights regarding the worldwide market. Beginning with a short layout of the general market, it will show the by and large assessed market measurements and various boundaries for the gauge time frame (2020-2026). Also, the report will clarify the primary factors that are driving or obstructing the extension of the worldwide Encryption Software Market. Moreover, it presents the dangers and roads that the organization or market members can look during the coming time frame alongside potential answers for beat them. Furthermore, the report remembers continuous and possible patterns for the market that could move the development direction of the worldwide Encryption Software Market. Moreover, broadly set forward the common and past market advancement procedures like M&A, associations, coordinated efforts, and so on taken by market members and government associations.
Development drivers:
The report gives a precise and expert investigation of worldwide Encryption Software Market business situations. The perplexing examination of chances, development drivers, and the future estimate is introduced in basic and effectively justifiable configurations. The report fathoms the Encryption Software Market by expounding the innovation elements, monetary position, development technique, item portfolio during the estimate time frame.
Request Free Brochure of theEncryption Software MarketReport:https://www.zionmarketresearch.com/requestbrochure/encryption-software-market
Report Scope:
The information presented in the report will help the clients in improving their capacity to settle on educated choices in regards to the business under the Encryption Software Market. The report likewise centres around current and future guidelines and arrangements that will be given by government organizations, which can improve or smother market development. To improve the data reasonable, experts and experts have included graphs, insights, stream outlines and models in the worldwide Encryption Software Market report. Alongside this, the report passes on logical data through market division on a geographic level. In conclusion, the worldwide Encryption Software Market gives peruses a total outline of the market during the figure time frame from
Enquire Here to Get Customization, Methodology & Check Discount for the Encryption Software Market Report:https://www.zionmarketresearch.com/inquiry/encryption-software-market
2020-2026 which will help them in making the right business. decisions that will prompt the improvement of their organization.
Moreover, the Encryption Software Market report will keep on introducing the size of the worldwide Encryption Software Market as far as volume and worth. It will likewise assess worldwide market division dependent on different perspectives like [Product, Application, End User and Key Region]. The report further classifies the worldwide market by area and gives an outline of the different districts and market development and conceivable development openings in the locale. To wrap things up; The report additionally incorporates the effect of the continuous Corona infection pandemic on market development on a territorial and worldwide scale. The quick effect of a pandemic contrasts dependent on market interest. While a few business sectors might observer a decrease sought after, numerous others will stay flawless and show potential development openings. In like manner, our Encryption Software Market report will offer you an exhaustive investigation of the worldwide market alongside the effect of COVID-19 on the worldwide Encryption Software Market.
Table Of Content:
Chapter No. 1 Introduction
Chapter No. 2 Executive Summary
Chapter No. 3 COVID 19 Impact Analysis
Chapter No. 4 Encryption Software Market Type Segment Analysis
Chapter No. 5: Encryption Software Market Industry Analysis
Chapter No. 6: Encryption Software Market Industry Analysis
Chapter No. 7: Competitive Landscape
Chapter No. 8: Company Profiles
Chapter No. 9: Marketing Strategy Analysis
Reference for other Reports:
Green Cement Market :https://www.stillwatercurrent.com/green-cement-market-to-surge-at-a-robust-pace-in-terms-of-revenue-over-2020-2026/
Key Questions Answered In The Market Report:What will be the growth rate of the global Encryption Software Market?Who are the key market leaders of the global Encryption Software Market?What are the sales, price, and revenue analyses of the global Encryption Software Market?What are the market opportunities, and threats faced by the new entrants in the global Encryption Software Market?What are the key factors which increase the growth of the global Encryption Software Market?
Thanks for reading this article; you can also get individual chapter wise section or region wise report version like North America, Europe or Asia.
Read the rest here:
Encryption Software Market expectation surges with rising demand and changing trends by industry analysis through 2026 Stillwater Current -...
What Is a Hardware Security Module? HSMs Explained – Hashed Out by The SSL Store
Hardware security modules are specialized computing devices designed to securely store and use cryptographic keys. Lets break down what HSMs are, how they work, and why theyre so important to public key infrastructure
Demand for hardware security modules (HSMs) is booming. Data from Entrusts 2021 Global Encryption Trends Study shows that HSM usage has been steadily increasing over the last eight years, increasing from 26% in fiscal year 2012 to 49% in 2020. According to data from 360 Market Updates, the HSM market is expected to reach $2.75 billion by the end of 2026.
What is an HSM and what does it do? Why are so many companies using HSMs? And what are the practical uses for HSMs in enterprise environments?
Lets hash it out.
Encrypted data isnt secure if the keys you use to encrypt it are exposed this is where HSMs can save the day. Hardware security modules (HSMs) are tamper- and intrusion-resistant hardware components that organizations use to protect and store their cryptographic keys while still making them available for use by authorized users. Their purpose is to control access and limit risk to your companys sensitive private keys.
HSMs enable your employees to use of your organizations private keys without needing direct access to them. Basically, your software (for example, hosted on a web server) can execute cryptographic functions and authentication without loading a copy of your private key into memory on your web server (where it could be vulnerable to attack). The cryptographic functions are all done within the confines of an HSMs secure environment. Performing these operations within this secure little bubble keeps your sensitive data from becoming compromised by keeping the private keys hidden away in a secure location.
To better understand this concept, think of an HSM like a vending machine. A vending machine stores drinks and food items within an isolated internal environment. Its designed to accept user inputs (i.e., your item selections) and generate outputs (i.e., pop out a tasty snack), and you cant access the inside of the vending machine or alter its functions.
Similarly, an HSM accepts user inputs and generates outputs (such as signed certificates or software) without users (or applications) seeing, accessing, or altering your cryptographic keys. Thats because its functions are executed within the confines of its secure environment, and no key can be wholly exported, extracted or removed from an HSM in a readable format. So, like a vending machine, you can use it to get your desired output but you cant see or access the internal workings of the device and all of its individual components that made it possible.
Heres a quick overview of how hardware security modules work:
You may be wondering why you need to use a hardware security module at all. I mean, why should you go through the hassle and cost of setting up an HSM when you can simply use your web servers built-in functionalities?
Well, for one thing, an HSM provides significantly more secure key storage than what youd get from using a traditional web server. When companies use their web servers to run many applications, this can result in vulnerabilities that cybercriminals can exploit. HSMs are devices with limited usages and attack vectors. This is why:
Using an HSM helps you secure your private code signing keys and avoid exposure issues like what HashiCorp faced earlier this year. On April 22, HashiCorp informed customers that the GPG private key they use to sign official product downloads and updates was exposed as the result of a third-party (Codecov) security incident.
Basically, the crux of the situation is that an unauthorized user exploited a vulnerability that gave them the ability to export sensitive data from Codecovs continuous integration (CI) environments. HashiCorps CI environment which housed the companys GPG private key and other sensitive secrets among were among those exposed CI environments. If HashiCorp stored their key in a secure HSM instead of the CI, then it wouldnt have been exposed.
There are also many other purposes and uses that HSMs serve in terms of PKI and general cybersecurity. You can use an HSM to:
Heres a breakdown of the top 10 HSM use cases in 2021, according to data from Entrust and the Ponemon Institute:
Having options for secure cryptographic storage is important for all businesses, particularly as their needs evolve with the growth of their operations. The good news is that HSMs vary in terms of both their physical sizes and applications. Some HSMs are small plug-in cards or USB devices while others are large external devices and appliances that companies store on premises within secure locations.
Hardware security modules can be very cost-prohibitive for many businesses. A 2018 article in SecurityToday.com says that the cost of deploying a single HSM can range upwards of $40,000 and that price doesnt include other related costs such as additional hardware, support, and maintenance. So, doing everything yourself may not be a viable option.
But just because your company cant afford to buy one or more of these devices outright doesnt mean that you cant still enjoy the advantages of using HSMs. Some vendors (such as Thales and Amazon Web Services) now offer cloud-based HSM products and services.
There are a few different options when it comes to using cloud HSMs:
The idea here is rather than having to buy an expensive physical appliance that you need to protect on site, you can instead rent a dedicated physical appliance or pay for access to the functionalities of one controlled by a third-party vendor for less cost.
As you can imagine, there are advantages and disadvantages to each approach, but youre ultimately the one who needs to decide which approach is best for your organization or business. Just be sure to carefully read the service level agreement (SLA) to ensure theyre what you need.
Of course, there is a way you can have your cake and eat it, too meaning that you can use an HSM without having to buy or rent one. This is possible when you partner with a managed PKI (mPKI) service provider. For example, DigiCert is an mPKI provider whose platform was built using an HSM. When you use their platform, you can capitalize on their secure HSM on the backend without having to buy or rent this expensive hardware.
If you think that an HSM sounds a lot like a trusted platform module, or TPM, there are a couple good reasons.
But are these two devices the same? No. TPMs are device-specific components within individual devices whereas HSMs are external devices with wider applications at handling operations relating to many or all devices and applications across an organizations network.
TPMs are basically computer chips that physically attach to individual devices motherboards to secure their PKI keys while keeping them separate from the devices CPU memory. They help to ensure device integrity and provide an isolated environment for the devices cryptographic operations.
HSMs, on the other hand, are hardware devices that arent limited to individual machines. Theyre intended for use at-scale by applications and servers across your organization.
To learn more about what trusted platform modules are and how they work, be sure to check out our other article relating to that specific topic.
The National Institute of Standards and Technology (NIST) Special Publication Recommendation for Key Management: Part 2 Best Practices for Key Management Organizations (SP-800-57 part 2, rev 1) describes hardware security modules as critical key management components. Theyre part of the physical infrastructure that makes secure key storage and cryptographic operations possible.
HSMS are used by organizations across virtually all industries, some of which include:
Thats quite a spread in terms of industries, am I right? This variation is, in part, due to the fact that hardware security modules come in two main varieties (which well explore momentarily) for organizations various usages.
Hardware security modules are typically used for securely storing cryptographic keys and payment-related information. However, their uses span the gamut in terms of current and future applications. Here are some of the ways youll currently find HSMs in use globally:
When we talk about HSMs here at Hashed Out, were typically talking about general purpose HSMs. However, its important to note that this isnt the only category of HSMs Thales Group describes a second category of HSM devices as Payment HSMs. Now that we know what HSMs are and some of their applications, lets explore the two types of HSMs a bit more in depth.
General purpose HSMs are those that all types of organizations use as part of their organizations overall cyber security. These are like the devices we described in the What Is a Hardware Security Module (HSM)? section near the beginning of the article.
These devices typically use vendor-neutral APIs to facilitate communication and cryptographic services for your applications. Thats because general purpose HSMs rely on the public key cryptography standards #11 (PKCS#11), which are a group of standards that outline how applications and HSMs can interact and communicate for cryptographic operations. (This enabled interoperability between applications and devices from various manufacturers.)
They also must meet geographic or industry security validation and trustworthiness requirements and standards such as:
As you can probably guess from the name, this second category of HSMs focus on the payment industry and are more specialized. Like general purpose HSMs, payment HSMs are also tamper-resistant hardware components that enable businesses to store and protecting keys and data. However, these keys relate to financial applications and transactions and do jobs such as storing customer PINs
Payment HSMs are designed to meet many different standards and use various interfaces. They also require different protocols and certifications from their general purpose HSM counterparts, some of which include the Payment Card Industry PTS Hardware Security Module (PCI PTS HSM) Modular Security Requirements and FIPS 140-2 validation requirements (level 3 or higher), and various regional security requirements.
For the purpose of this article, were primarily focusing on general purpose HSM functionalities, so were not going to get into the nitty-gritty of payment HSMs here. However, weve put together a quick side-by-side comparison table to help you better understand the differences between the two types of hardware security modules:
We touched on some of the uses of general purpose HSMs within organizational environments. Now, lets explore some practical applications.
A hardware security module provides the foundational security and trust your PKI needs. This is why it should be part of your organizations public key infrastructure from the get-go and not just added later on. (Technically, you can add an HSM to your private PKI architecture later however, it does require a lot of extra work and configurations that you can avoid by making the device part of your initial PKI.)
HSMs allow you to store your organizations cryptographic keys and create the PKI certificates that are necessary to enable user, device and software authentication. Furthermore, the authentication processes themselves can occur within the HSMs internal environment. This keeps the keys secure by not requiring them to be accessed directly, copied or moved.
You can use your hardware security module for cryptographic offloading (such as for SSL/TLS). The purpose of SSL/TLS offloading is to ease the burden on your web server that stems from encrypting and decrypting traffic by shifting those functions to another device (such as a load balancer).
If you opt to store your private keys in an HSM instead of your web server, you can shift the cryptographic functions relating to that traffic to your HSM.
The Open Web Application Security Projects (OWASP) Key Management Cheat Sheet specifies that if you choose to secure your cryptographic keys offline or in devices such as HSMs, you should encrypt them using key encryption keys, or KEKs.
If you want to avoid the costs and responsibilities associated with in-house management of an HSM for your private PKI, then choose an mPKI provider whose platform was built using an HSM. Doing this enables your authorized users to use your organizations HSM-stored keys remotely without accessing or touching the keys. For example, users can sign EV code signing certificates without the necessary risk of keeping individual tokens on hand that could get lost or stolen.
While HSMs are great security tools, they require you to take steps to keep them (and the keys the contain) secure. This includes physical security measures as well as digital access.
The first aspect entails keeping your hardware security modules stored in secure physical locations (such as a secure data center or server room). Your HSM should never be stored in an open or insecure location where unauthorized individuals can access it.
HSMs require strong access controls, policies and processes to keep your cryptographic keys secure and ensure that only authorized users can use it. This way, no unauthorized employees or nefarious external parties (i.e., cybercriminals) can use your cryptographic keys against you to digitally sign data, applications, or certificates.
Also be sure to monitor your HSM event logs. This way, you know who tries to access or use your cryptographic keys and how they used them.
Read more here:
What Is a Hardware Security Module? HSMs Explained - Hashed Out by The SSL Store
Making the Most from WEP – Wi-FiPlanet.com – Wi-Fi Planet
March 06, 2003
While wired equivalent privacy (WEP) encryption is not good enough for mission critical data, its still better than nothing for most WLANs. Heres why WEP does what it does, and the elbow grease you can apply to make it more secure.
We all know by now that 802.11swired equivalent privacy(WEP) isnt good enough to protect our data. That isnt just the theory, its a fact. Sure, WEP will stop Joe Wireless, but freely available programs likeAirSnortenable Joe Cracker break into your WLAN with little trouble.
Thus equipped, a cracker only needs some patience to mount a successful invasion. Specifically, it usually takes only five to ten million packets to break WEP encryption. And, at fifteen million packets, its almost dead certain that a dedicated attacker can pry the lid off your network traffic. Or, to put it another way, a small WLAN with four active users is almost certain to be cracked with two weeks of eavesdropping.
Making matters even worse, the cracking techniques most frequently used will work equally well no matter what WEP key length youre using. Thus, a 128-bit key is just as vulnerable as a 64-bit key. Indeed, even if a WEP key was 1,204 bits, it still as crackable by todays methods as ones that the minimal 64-bits.
How can that be? To understand how that works, you have to look closely at how WEP actually generates and manages, or more to the point doesnt, manage its encryption keys.
Every WEP packet is encrypted separately with an RC4 cipher stream generated by an encryption key. That key is made up of a 24-bit initialization vector (IV) and either a 40-bit or 104-bit WEP key thats usually set by your wireless device. Combined, they have a total length of 64 or 128-bits, hence the popular names of 64 and 128-bit WEP keys (some vendors use to call the 64-bit key a 40-bit key, but they simply werent including the 24-bit IV so 64 and 40-bit WEP are the same thing). This transmitted packet is generated by a mathematical operation called bitwise exclusive OR (XOR) using the packet sent to your network interface card (NIC) by your computer and the RC4 encryption key.
With me so far? Now, the first thing that kills WEPs fundamental security is that every packet you send also includes the IV in plaintext. In short, any would-be snooper can immediately see part of the key.
Now, because the IV is only 24-bits long, you can only get 16,777,216 different RC4 encryption streams for every key, regardless of how long the rest of the key is. Sounds like a lot doesnt it? Its not even close to enough. The plaintext IV is constantly reused and it takes many packets to send even a quick Hi, how are you? instant message, so it doesnt take long for a snooper to gather up enough packets to start cracking your messages.
If that was WEPs only weakness, it would still be insecure but it would take a serious processing power and a lot more packets to break into a WLAN. Unfortunately, RC4 has another problem. Not all of those close to 17-million possible IV numbers work as well as others in RC4. When one of these approximately 9,000 Weak IVs, are used to encrypt packets, a snooping program can recognize and collect them. These Weak IVs give additional clues on the full encryption key, no matter its length, and so they make breaking WEP that much easier.
There are other theoretical ways to take advantage of WEP, but the combination of these two ways of exploiting the IV have proven to be easy and effective enough that little effort is being spent on developing software to exploit these holes. Trust me, the existing way to pry open a WEP-protected network work more than well enough.
Well, for one thing you cant wait around for a solution. Yes, there are replacements to WEP coming likeWi-Fi Protected Access(WPA), but it hasproblems of its own. 802.11i, which hopefully will take care of wireless security until someone works out bigger and better ways of cracking wireless, is still a work in progress.
In the meantime, you can make the most of WEP by changing your key frequently. I would recommend small offices with security concerns do this once a week, while companies with ten or more wireless PCs with sensitive information should change the WEP daily.
Sounds easy doesnt it? Its not. When they built WEP, they didnt build in network key management. With almost all WLAN NICs and APs, you have to manually reset WEP to the new IV on each and every device, one by one.
That may only be annoying in your home office, but its a true pain in the rump for network administrators with dozens or even hundreds of wireless-enabled devices. Not to mention that if you enter the IV wrong on a PC, its user will find that it cant get on the network. Adding insult to injury, if you get it wrong on an access point (AP), the entire area of the network that access point serves will be out of action.
Of course, you could have your users reset their own computers WEP settings, but thats just asking for a technical support disaster of epic proportions.
Besides simply resetting your WEP key, you should follow these simple rules for making WEP as secure as possible. If your WEP software asks you for a passphrase or string to generate a key, donotuse your SSID, company name, network name, or any other easy to guess alphanumeric string. Treat setting WEP keys the same way you a strong password. Why make life any easier for a cracker then it already is, right?
If you must manually enter the key, youre restricted to the numbers 0-9 and letters a-f In this case, dont simply hit the same key over and over again or use some simple pattern like 1,2,3, and so on.
If you do this, and change your key frequently, you can maximize WEPs minimal protection. Good security? Heck no! But, its definitely better.
Come the day that802.1xarrives in all wireless, well finally get key management. Alas, while 802.1x is available in Windows XP, and some access points and proprietary setups, but its still relatively uncommon. Implementing it properly in WLANs is an issue being dealt with in the still unfinished 802.11i. Eventually, well all use 802.1x for our WLANs, but that day isnt here yet.
Of course, there are add-on solutions, like Ciscos LEAP which is adds a proprietary take on Extensible Authentication Protocol (EAP) combined with RADIUS. It works well, and it enables new WEP keys per session. It also, however, requires that all the equipment be LEAP enabled, which isnt cheap you then have to replace any older WLAN NICs and access points.
Another path often taken is to use a Virtual Private Network (VPN) to encrypt all WLAN communications. While straight-forward it enough, it does mean that youll need to either add VPN software, or in the case of some operating systems like Windows XP, Linux and the BSDs, implement their VPN features. VPNs must also be coordinated across the network, but VPNs can be centrally managed thus making running them much easier for administrators and users alike.
So, in summary, if you want the best WLAN security today, either use an add-on approach like LEAP and be ready to use only equipment from a single vendoror be ready to work with the added complexity of a VPN.
But, if youre willing to take the time and trouble, WEP alone can still be useful.
Here is the original post:
Making the Most from WEP - Wi-FiPlanet.com - Wi-Fi Planet
Brave, the startup behind untracked browser-based video conferencing tool is out of beta – Security News – BollyInside
Brave, the startup behind the eponymous non-tracking browser, has launched a non-tracking video conferencing add-on out of beta letting all users make and receive video calls straight from their browser.
Now its been made open access with Brave making a pitch to internet users of privacy-focused video conferencing.
The tool, called Brave Talk, has been in beta testing since May last year. And Brave told us its had some 14,000 daily active users over this period aka, earlier adopters and developers tapping in via Braves test version.
Many other video conferencing providers, including Zoom, monitor calls, metadata, and images, and the records of that data can be sold or shared without user consent, it writes in a blog post announcing the wider launch.
Users initiating a video call must do so from within the Brave browser; however, recipients need only be using any modern browser (so basically Chrome, Firefox, Safari, Edge, Opera etc.) to participate in a video chat.
Brave Talk users can enable multiple layers of encryption on calls, so an eavesdropper cannot listen in on users calls, and our servers dont save metadata, so calls, images, and activities are never recorded or shared without user consent, it adds.The video calling software is a subscription offering costing $7 per month for premium features (like group calls and call recording) but basic one-to-one calls are free and unlimited. (NB: Braves Android and iOS apps only currently offer Brave Talk Premium but will have the free version too in the coming weeks).
While Brave is touting its non-tracking credentials as a differentiating plus for the video conferencing software versus mainstream players like Zoom, its worth noting that Brave Talk does not (yet) have end-to-end encryption rolled out.
Brave says its using the Jitsi as a Service open source video meeting platform from 88 which relies on WebRTC open source technology to enable developers to embed HD video directly into the browser.
On encryption it says users can enable different layers in the settings. It describes the current strongest level of encryption available in both free and premium versions of Brave Talk as Video Bridge Encryption. This setting ensures that the video and audio streams are encrypted using keys generated by the participants, which prevents eavesdropping on the Video Bridge Server, said co-founder and CEO Brendan Eich. Video Bridge Encryption can be enabled under Security Options.
Because we find the phrase end to end encryption to be confusing and overloaded, Brave Talk refers to the setting as Video Bridge Encryption, he also told us, adding: End to end encrypted calls are just one dimension of privacy and security when participating in video calls. Even when using encryption, most of the Big Tech video tools actively collect and store data about your call: Who the participants were, when the call took place and for how long, and a host of other information. The anonymous credential system employed by Brave Talk ensures that we dont know who users are and who they are talking to, and we cant link them across sessions. Brave Talk is a privacy-by-default tool that does not track users.
Pushed for more clarity on the difference between Video Bridge Encryption (VBE) and E2EE, he also told TechCrunch: The reason that we refer to it as Video Bridge Encryption and not End to End Encryption is that, while VBE does ensure that audio and video remain encrypted from Brave, 88, and any other passive eavesdroppers, we are still working with 88 on a way to make this more robust against active attackers by automatically authenticating meeting participants. When that work is complete, we will feel comfortable introducing it as full end to end encryption, and it will provide significant advantages over platforms like Zoom, which require participants to read a security code out loud to confirm end to end encryption is working.
Internet users wanting to kick the tyres of Brave Talk which was previously called Brave Together will first need to download the Brave browser in order to initiate a call. Receiving calls doesnt require using Brave, as mentioned earlier. Per Eich, Brave recently passed 36 million monthly active users across its suite of anti-tracking products which also includes a search engine and a Firewall+VPN.
News Summary: