Category Archives: Encryption
WhatsApp Flaw Casts Doubt on End-to-End Encryption – Security Boulevard
A recently fixed WhatsApp security vulnerability that, if exploited, could cause data leakage underscores the fact that hackers can bypass end-to-end encryption with some machinations.
WhatsApp included a patch for the flaw in its February 2021 Security Advisory Report and, in a statement, assured Check Point researchers Dikla Barda and Gal Elbazwho analyzed the Out-Of-Bounds read-write vulnerability in a blog postthis week that it had no reason to believe users would have been impacted by this bug and that users should feel confident that end-to-end encryption continues to work as intended and peoples messages remain safe and secure.
The messaging app company pointed to the multiple steps a user would have needed to take before the vulnerability could be exploited. Indeed, Check Point acknowledged that the threat remains theoretical, and would have required complex steps and extensive user interaction in order to exploit but stresses that doing so could have allowed an attacker to read sensitive information from WhatsApp memory.
The vulnerability is related to the WhatsApp image filter functionality and was triggered when a user opened an attachment that contained a maliciously crafted image file, then tried to apply a filter, and then sent the image with the filter applied back to the attacker, they said.
The researchers zeroed in on how WhatsApp processes and sends images, using Check Points AFL fuzzer to generate malformed files. Switching between several filters on crafted GIF files, they caused WhatsApp to crash.
After connecting the phone to its lab and capturing the crash location via adb logcat, Check Point did some reverse engineering to review the crashes, identifying one as a memory corruption. At that point, the researchers reported the finding to WhatsApp and the vulnerability was named CVE-2020-1910 Heap-Based out-of-bounds read and write.
In a deeper dive, Barda and Elbaz reverse-engineered the libwhatsapp.so library using a debugger to analyze the crashs root cause. The problem is that both destination and source images are assumed to have the same dimensions and also the same format RGBA (meaning each pixel is stored as 4 bytes, hence the multiplication by 4), the researchers wrote. However, there are no checks performed on the format of the source and destination images. Therefore, when a maliciously crafted source image has only 1 byte per pixel, the function tries to read and copy 4 times the amount of the allocated source image buffer, which leads to an out-of-bounds memory access.
Burak Agca, an engineer at Lookout noted that Lookout has seen multiple variants of the same attack, and added that attackers typically execute an exploit chain taking advantage of multiple vulnerabilities across the app and the operating system in tandem. He pointed to the first such discovered chain that exploited a vulnerability, which has since been patched, in the Safari browser to break out of the application sandbox. After this, multiple operating system vulnerabilitiesalso since patchedwere exploited to elevate privileges and install spyware without the users knowledge.
The WhatsApp exploit, he said, seems to exhibit a similar behavior, and the end-to-end details of these types of exploits came under scrutiny by the security community.
For individuals and enterprises like, Agca said, it is clear relying on WhatsApp saying its messaging is encrypted end-to-end is simply not enough to keep sensitive data safe.
He applauded WhatsApp for the speed and thoroughness of upgrades for this and other vulnerabilities. WhatsApp continuously updates its applications in order to address these security issues, Agca said. Updates to their apps patch the vulnerability in question, and, in addition, they release a server-side fix to prevent any version of the app from being exploited.
But consumers and organizations need to do their part to remain secure on the app. WhatsAppusers can be proactive and download a mobile security solution that reduces the risk of falling victim toWhatsAppscamsespecially ones that try to phish your credentials or quietly install malware, said Agca.
Recent Articles By Author
Follow this link:
WhatsApp Flaw Casts Doubt on End-to-End Encryption - Security Boulevard
Priti Patel backs ad campaign that criticises Facebook’s stance on end-to-end encryption – Graham Cluley Security News
According to media reports, British Home Secretary Priti Patel is backing a new ad campaign that will accuse Facebook of blindfolding police investigations into child sex abuse.
What has Facebook done to warrant the attention? It has introduced the option for Facebook Messenger calls and video chats to be end-to-end encrypted just like Facebook Messenger text chats have been since 2016
and just like the chats you have on Signal, Wire, and FaceTime are too.
Priti Patel is just the latest in a long line of British politicians to rail against encrypted messaging, arguing that it makes it harder for the police and intelligence agencies to catch paedophiles, drug barons, and terrorists.
Patels predecessors have even tried to argue that real people dont want secure communications.
But if you weaken end-to-end encrypted messaging by creating backdoors for intelligence agencies or police to monitor communications, you dont make life less safe for the criminals. You make it less safe for everyone.
Indeed, all a criminal would do is use another service that does provide end-to-end encryption, or create their own service beyond the reach of the authorities and impervious to any ad campaign backed by Priti Patel.
Encryption isnt a bad thing, its a good thing. Encryption protects our privacy from hackers and organised criminals. It defends our bank accounts, our shopping, our identities. It saves the lives of human rights activists working against oppressive regimes.
Journalist James Ball summed up in a tweet the idiocy of being anti-encryption:
We shouldnt be looking for ways to weaken or outlaw encrypted communications. If anything, we should be encouraging their wider use.
Im no fan of Facebook. I think it is, in many ways, ghastly. But I welcome anything they do to harden the security and privacy of their users.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.
Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.Follow him on Twitter at @gcluley, or drop him an email.
Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption – WFMZ Allentown
ATLANTA, Sept. 7, 2021 /PRNewswire-PRWeb/ --Bluefin, the leading provider of payment and data security solutions, has announced the issuance of their first U.S. patent on the company's ShieldConex data security platform for the tokenized encryption of Personally Identifiable Information (PII), Protected Health Information (PHI), and payment / ACH account data.
U.S patent 11,070,534, Systems for Vaultless Tokenization and Encryption, covers an iFrame service for collecting data, a tokenization service for (de)tokenizing and encrypting/decrypting data, and managing and creating templates for iFrame collection, (de)tokenization, and encryption/decryption.
ShieldConex utilizes both hardware-based encryption and vaultless tokenization to secure PII, PHI, cardholder data (CHD) and ACH account data entered online. All ShieldConex tokens are format preserving and the option exists to maintain portions of the tokenized data, such as the last four digits of a social security number, preserving the usefulness of the data in tokenized form while being database-friendly for developers. Additionally, the vaultless nature of the solution means customers always retain their data ShieldConex tokenizes the sensitive data and returns it to the customer and also eliminates issues of data sovereignty, while guaranteeing higher performance than legacy token vault-based solutions.
Companies can also directly connect to ShieldConex for online data encryption and tokenization via Bluefin's API.
"There is more sensitive data being entered online than ever before, thanks in part to the pandemic," said Ruston Miles, Bluefin's founder. "Ecommerce purchasing has risen dramatically, people are utilizing healthcare forms to enter everything from insurance information to their medical history, and as a result, hackers are going after the online channel. ShieldConex provides an easy to implement solution that protects any type of online data upon entry, in transit and in system storage."
Bluefin was the first North American provider of a PCI-validated point-to-point encryption (P2PE) solution in 2014 for the immediate encryption of point-of-sale (POS) payments. PCI P2PE provides numerous benefits, including cost savings, PCI scope reduction and brand protection. ShieldConex complements the company's P2PE suite by providing a holistic data security system that protects all online data.
"Implementing P2PE and ShieldConex is like a one-two punch," said Tim Barnett, Bluefin's CIO and patent author. "You have P2PE protecting mobile, face-to-face and call center transactions, and then you have ShieldConex protecting any type of data whether payment, consumer or company data that is entered online. The future of payment and data security must address every intake channel, and we are very pleased to have received our first U.S. patent on ShieldConex for this online protection."
While the U.S. patent marks the first on ShieldConex, Bluefin has previously been issued 28 U.S., EU and Japanese patents on its P2PE innovations. The company also has an additional 13 patents pending.
About Bluefin
Bluefin is the recognized leader in encryption and tokenization technologies for payment and data security. Our security suite includes PCI-validated point-to-point encryption (P2PE) for contactless face-to-face, call center, mobile and unattended payments, and our ShieldConex data security platform for the protection of Personally Identifiable Information (PII), Personal Health Information (PHI) and payment data entered online. The company's partner network currently includes over 200 processors, payment gateways and ISV's operating in 45 countries, which provide Bluefin's P2PE solutions direct to merchants, enterprises, healthcare organizations and more. Bluefin is a Participating Organization (PO) of the PCI Security Standards Council (SSC) and is headquartered in Atlanta, with offices in Waterford, Ireland. For more information, please visit http://www.bluefin.com.
Media Contact
Danielle Duclos, Bluefin, 8006756573, press@bluefin.com
SOURCE Bluefin
View post:
Bluefin Receives U.S. Patent on Systems for Vaultless Tokenization and Encryption - WFMZ Allentown
EXCLUSIVE: What’s in the new zero-trust strategy – Politico
Editors Note: Weekly Cybersecurity is a weekly version of POLITICO Pros daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.
MC has your first look at the Biden administrations new plan for protecting the government with zero-trust networking.
Two Senate committees will have to iron out their differences on cyber incident reporting soon if they want to hitch a ride on a must-pass bill.
The Biden administration and the European Union are making plans to tackle challenges posed by encryption.
HAPPY TUESDAY, and welcome back to Morning Cybersecurity! If youre reading this message, it means that we got through the long Labor Day weekend without any devastating cyberattacks. Maybe everyone really listened to Anne Neuberger after all. Sam will be back tomorrow, so send your thoughts, feedback and especially tips to [emailprotected]. Follow @POLITICOPro and @MorningCybersec. Full team contact info below.
FIRST IN MC: DONT TRUST, VERIFY The White House this morning is releasing for public comment a draft version of its strategy for implementing zero trust principles across federal networks. The Biden administration sees zero-trust networking in which a computer system is designed with the assumption that hackers have already gained access and must be constantly challenged and impeded as key to its security overhaul of decades-old networks, and its new strategy will require a raft of actions to lock down software applications, limit users access to data and protect network traffic from prying eyes.
Among the 18 steps required by the end of fiscal 2024: Every agency will have to use one single sign-on service to let employees access all of its applications; ditch multi-factor authentication systems such as codes delivered by text message that are susceptible to phishing attacks; and eliminate archaic password policies requiring special characters and regular password changes. Theyll also have to encrypt all internal traffic and develop plans to segment their networks so that hackers cant easily slip from one application to another. And theyll have to make one internal system securely accessible from the internet to reduce the use of VPNs.
Along with the draft zero-trust strategy, CISA is also releasing a maturity model that provides a roadmap for agencies implementation of zero-trust policies, as well as a guidance document to help agencies securely migrate their applications to the cloud.
The zero-trust plan is part of President Joe Bidens cyber executive order, which also launched several other initiatives that have impending due dates. By Thursday, for example, agencies must submit progress reports on their rollout of multi-factor authentication and encryption. CISA has until Thursday to develop a cyber incident response playbook that every agency can use. And DHS and OMB have until Thursday to set up procedures to ensure that contractors report cyber incidents to the appropriate agencies.
SENATE SHOWDOWN As Congress summer recess nears its end, lawmakers face a big question: How will they reach agreement on the best way to require companies to report hacks? And more specifically, what will happen to the Senate Intelligence Committees cyber incident reporting bill now that the Senate and House homeland security panels have teamed up on more industry-friendly legislation?
Senate Intelligences bill differs widely from the Senate Homeland measure that yours truly scooped last week, especially in terms of its minimum reporting timeframe, the types of companies covered and the punishments for noncompliant companies. In letters to Congress and at last weeks hearing, industry groups criticized the Intelligence bills provisions.
There is strong industry support for the House and Senate Homeland bills approach, said Ron Bushar, an executive at the cyber firm FireEye who testified on the House bill last week. And Senate Homeland has another advantage over Senate Intelligence it has jurisdiction over any reporting bill, so it will play a significant role in shaping whatever legislation emerges. FireEye CEO Kevin Mandia will meet with Senate Homeland Security Chair Gary Peters (D-Mich.) on Wednesday, according to Stacy OMara, the companys director of government affairs.
But the Senate Intelligence bill has powerful sponsors, including perennial swing vote Susan Collins (R-Maine) and committee chair Mark Warner (D-Va.), an influential voice on national security. Warner and his colleagues are still revising their bill, and his office says its having productive meetings with interested parties.
The homeland-security panels are collaborating closely on their bills, according to an aide for the House panel. And Senate Homeland Security ranking member Rob Portman (R-Ohio) has been talking to the Senate Intelligence bills sponsors, a Senate aide said. Both aides requested anonymity to discuss legislative negotiations.
Its critical for Congress to listen to industry stakeholders and ensure whats written into law in Washington makes sense practically when implemented in the real world, House Homeland Security ranking member Andrew Garbarino (R-N.Y.) told MC.
Homeland and Intelligence face a tight deadline to resolve their differences. Multiple people tracking the process said the best hope for incident reporting legislation was to attach it to the fiscal 2022 defense policy bill, which is being marked up now. Senate Homelands outreach to industry included a request for feedback by Sept. 14.
Another reason to hurry is that implementation will take a while. You're looking at a minimum of half a year anyway between passage of a bill and standup of a reporting platform, Bushar said. The longer you delay the bill, the more time it takes before you can have a regime in place that can actually start to have an impact.
BOTH FORMS OF CRYPTO The Biden administration and the European Union have recommitted to collaboratively seeking a solution to the encryption debate, a top EU official told MC, suggesting that while this policy challenge has simmered under the surface for several years, its still top of mind for policymakers behind closed doors.
Encryption is important, but we have to always avoid a black-or-white discussion, EU Home Affairs Commissioner Ylva Johansson said in an interview after meetings in Washington with DHS Secretary Alejandro Mayorkas and Attorney General Merrick Garland. It's not like we should protect privacy or protect vulnerable children. We need to do both.
Johansson, who discussed encryption with Garland, said that while the attorney general didnt reveal the Biden administrations agenda for resolving the long-running crypto wars, the EU and the U.S. are very much close to each other on these issues. Both leaders, she said, agreed that tech companies need to take their responsibility to develop proper technical solutions for this.
Apple has received withering criticism from security experts over a proposal to identify child sexual abuse imagery on its customers phones. On Friday, the company said it was pausing the rollout of that feature to collect input and make improvements. Speaking before that news broke, Johansson applauded the companys effort. Apples solution might not be the perfect one, she said, but I welcome a company that really tries to find a balanced approach protecting both privacy and children.
Johansson and her U.S. counterparts also agreed on the scope for a common working group on ransomware, she said. The new group will focus on investigative cooperation, tracing ransom payments (which Johansson identified as a particular priority) and building digital resilience against hackers. The group will present its initial report at the next EU-U.S. Ministerial Meeting on Justice and Home Affairs later this year.
STILL EVADING The U.S. government continues to brush off suggestions that it was involved in firewall maker Juniper Networks use of an encryption algorithm backdoored by the NSA, despite a Bloomberg story saying the Pentagon leaned on the company to adopt the code. Asked about Bloombergs reporting during Thursdays White House press briefing, Anne Neuberger, the deputy national security adviser for cyber and emerging technology, described the Juniper/NSA saga as an old story thats been reported, and I think weve continuously noted that there isnt substantiation for it.
Security experts first proposed a link between the NSA and the backdoored Juniper code in 2015, several months after the company announced that sophisticated hackers had breached its systems by modifying that code. But until last weeks Bloomberg story, it remained unclear why Juniper had used the widely criticized code in the first place. NIST told companies to stop using it in 2014, one year after leaked documents revealed that the NSA had secretly tampered with it and paid a leading vendor $10 million to use it.
During MCs break, yours truly conducted the first in-depth interview with inaugural National Cyber Director Chris Inglis. Pros can read the story about his priorities and the full Q&A. He also revealed that the Biden administration is pushing Microsoft to make full log data free for all customers.
University of California, Berkeley computer science professor Nicholas Weaver with some real talk: The Ivermectin of Computer Science is Blockchain
How Kuwait punished a security expert for revealing a major banks embarrassing hack. (CyberScoop)
Nextgov interviewed Allan Friedman, the man behind the governments software bill of materials campaign, as he moves from NTIA to CISA to bring SBOMs to life.
The Justice Department launched a cyber fellowship program for prosecutors.
NIST wants feedback on its proposed criteria for an internet of things security labeling program.
Chat soon.
Stay in touch with the whole team: Eric Geller ([emailprotected]); Bob King ([emailprotected]); Sam Sabin ([emailprotected]); and Heidi Vogt ([emailprotected]).
Visit link:
EXCLUSIVE: What's in the new zero-trust strategy - Politico
3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage – Help Net Security
With COVID-19 variants on the rise, widespread remote work may be sticking around longer than IT leaders would like, which comes with a heightened risk for cyberattacks that could expose customer data, steal company information, or take control of internal operations. The rise in attacks comes at a time when cybersecurity experts are in short supply in 2020, over 3 million cybersecurity positions needed to be filled.
Enterprises face a catch-22 situation: Security is more vital than ever, but cybersecurity positions are nearly impossible to fill. Fortunately, there are several security best practices enterprises can follow that dont require them to have an in-house cybersecurity expert.
Here are three best practices that can help strengthen your security sooner rather than later:
Even the smallest of openings can be exploited by cybercriminals to gain access to a businesses network. Case in point: the Colonial Pipeline hack, where an inactive authorized account was compromised and allowed cybercriminals to do as they pleased with the companys data. Its essential for IT leaders to integrate the proper authorization protocols to prevent a Colonial Pipeline-like attack from happening to them.
Glaring security oversights like a newly inactive authorized account or a successful phishing attempt on an authorized account must be addressed as soon as they occur not hours, days or weeks later. In fact, four out of five breaches that involved hacking or brute force tactics used lost or stolen employee credentials to enter the system, according to a report from Verizon. And three out of four common data security breaches are caused by privilege misuse when employees have unrestricted access to a system even when its not needed to do their job.
Organizations need to establish authorization protocols like multi-factor authentication, regular password changes and least privilege user access to mitigate the likelihood cybercriminals will have unfettered access to the system.
While business leaders may fear that requiring employees to jump through hoops to access sensitive information will slow down internal operations or functions, the consequences of a successful attack will disrupt business operations significantly more than the time it takes to follow a few authorization best practices.
Encryption uses algorithms to make data or other information an unreadable cipher if one doesnt have the right cryptographic key. Encryption ensures only the audience that the information is intended for can access the information.
Encryption key management the process of creating, storing, deleting, and destroying encrypted keys makes secure access to sensitive information possible. By establishing key-encrypted access, information is not saved directly in the system, and the key can be changed by the organization at-will.
Without the encryption key, its difficult and time-consuming for bad actors to guess which cipher the sender used to encrypt the message, as well as what keys were used as variables which is why encryption is such a valuable tool to deter cybercriminals.
Solutions that can automatically pre-activate, activate, change, and reassign encryption keys are helping organizations of all sizes use this type of complex technology, even without a cybersecurity expert. However, be sure to lean on vendor-neutral trusted advisors who have the resources, network, and experience to ensure your encryption key management solution will fit your enterprises needs.
The true meaning of cybersecurity can be boiled down to preparation, especially for the worst possible case scenario. If a cyberattack is successful and sensitive information is compromised, a recovery plan or a solution can help mitigate the damage. This is where a disaster-recovery-as-a-service (DRaaS) solution comes into play, as it replicates server information and digital business operations onto a recovery site, allowing for a backup to replace the main server in the event of an emergency, malfunction or system compromise.
Additionally, DRaaS solutions can be fortified with an immutable backup to add another layer of security to their infrastructure. Immutable backups secure data and make it unable to be changed, establishing a fixed, undeletable data source for your disaster recovery solution. With an immutable backup, cyberattacks will encounter difficulty attempting to permanently delete or alter data when a fixed source exists for recovery.
DRaaS solutions lower the chance for cybercriminals to cause permanent damage or possess sole ownership of sensitive data. Without it, cybercriminals may hold your data hostage and disrupt business operations, leak sensitive information, or destroy the data if their demands are not met.
Even though cybersecurity talent is scarce and cyberattacks are at an all-time high, organizations can still strengthen their security posture today. By combining proactive security measures with a disaster recovery solution, you can mitigate the likelihood that an attack will be successful when it happens.
See more here:
3 ways to protect yourself from cyberattacks in the midst of an IT security skill shortage - Help Net Security
Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere – Privacy News Online
Apple is a company that has always made much of its commitment to privacy, and has succeeded in turning it into a unique selling point of its products. That proud history made a recent announcement all the more shocking. Nobody could deny that Apples Expanded Protections for Children are motivated by the best intentions, and are tackling a terrible problem. But as commentator after commentator pointed out, in this case, in its eagerness to come up with new ways of protecting children from harmful content and online predators, Apple seems to have missed the bigger picture.
There are three elements to the Apples new initiative. One updates to Siri and Search provide parents and children expanded information and help if they encounter unsafe situations is unproblematic. The other two are not. Heres what Apple intends to do to ensure communication safety in Messages:
The Messages app will add new tools to warn children and their parents when receiving or sending sexually explicit photos.
When receiving this type of content, the photo will be blurred and the child will be warned, presented with helpful resources, and reassured it is okay if they do not want to view this photo. As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it. Similar protections are available if a child attempts to send sexually explicit photos. The child will be warned before the photo is sent, and the parents can receive a message if the child chooses to send it.
As over 90 organizations wrote in an open letter to Apples CEO, the problem here is that this assumes a benevolent relationship between parents and child. Clearly, thats not always true, in which case Apples new alert system could enhance the abusive power of adults over a child. LGBTQ+ youths on family accounts with unsympathetic parents are particularly at risk, the letter pointed out. But it is the third element that has rightly caused most concern in privacy and security circles. It tries to address undoubtedly one of the worst problems online today: the spread of Child Sexual Abuse Material (CSAM). Apple wants to detect CSAM images stored in iCloud Photos. Heres how:
Apples method of detecting known CSAM is designed with user privacy in mind. Instead of scanning images in the cloud, the system performs on-device matching using a database of known CSAM image hashes provided by NCMEC [National Center for Missing and Exploited Children] and other child safety organizations. Apple further transforms this database into an unreadable set of hashes that is securely stored on users devices.
To its credit, Apple has built in a number of features designed to ensure that the company does not know anything about the images that apparently match, unless a certain threshold number of matches is reached. At this point Apple will then manually review each match, and if confirmed, disable the users account and send a report to the NCMEC. The company has provided a more detailed technical summary of the process.
However, a FAQ reveals some serious flaws in the approach. First, the new technology only applies to photos stored in iCloud Photos. This means people can avoid scrutiny quite easily: When iCloud Photos is deactivated, no images are processed. CSAM detection is applied only as part of the process for storing images in iCloud Photos. Another problem is the following: The system uses image hashes that are based on images acquired and validated to be CSAM by at least two child safety organizations. It is not designed for images that contain child nudity that are not known CSAM images. This could have the terrible effect of encouraging pedophiles to create new abusive images, rather than sharing old ones. Apples approach to fighting CSAM might actually make things worse.
The biggest problem concerns how Apple has implemented its idea. The approach discussed above involves client-side scanning of images to detect CSAM. This will happen whether or not the phones user wishes it. In other words, for the first time, Apple is explicitly taking control of peoples phones, which are therefore no longer truly theirs.
This is an incredibly shortsighted move, for reasons that top experts like Edward Snowden, Bruce Schneier, and the EFF have been quick to point out. One of the most important battles being fought in the world of privacy is the attempt by governments around the world to gain access to end-to-end encrypted communications using backdoors. As they have been repeatedly told, this is not possible without undermining the security of encryption. But there is a different way to gain access to the contents of encrypted communications to spy on them before they are encrypted. That is precisely what Apple proposes with its new plans.
By presenting client-side surveillance in a positive light, Apple has just given permission for every government to demand the same approach to be applied outside CSAM. Apple tries to address that point in its FAQ: Apple would refuse such demands and our system has been designed to prevent that from happening. This is an extraordinarily naive statement. How will a company even a trillion-dollar company be able to refuse such a demand from repressive authoritarian states like China, or intrusive democratic ones like the UK? It will clearly be a matter of comply or stop selling products in that country.
Even if Apple backtracks on its plans, the first signs of which have already appeared, it may be too late. Politicians who understand little about the finer points of technology will simply say to every online service operating in their country: See? Apple has found a way to scan for illegal material while preserving encrypted communications just do the same for us voluntarily, or we will pass a law making it compulsory.
Featured image by Sally V.
Original post:
Apple Has Betrayed Its Privacy Legacy and Will Undermine End-to-end Encryption Everywhere - Privacy News Online
IBM’s first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features – The Register
IBM's heavy-metal arm has officially brought Power10, its first 7nm chip, to market with the launch of the E1080 a server system it claims blows x86 rivals out of the water for performance and security.
The E1080 is the first commercial outing for IBM's Power10 chips, unveiled at last year's Hot Chips conference and implementing v3.1 of the Power instruction set architecture (ISA). Built on a 7nm extreme ultraviolet (EUV) lithographic process by Samsung, the first Power10 parts include 15 physical cores up from 12 on Power9 and a disabled "spare" core used to increase manufacturing yield, with eight-way symmetric multiprocessing (SMT) for a total of 120 threads per chip and support for four sockets per board.
"The E1080 will actually scale to 240 cores in the entire system itself," said Dylan Boday, IBM vice president for hybrid cloud, during a press briefing. "It's really bringing in a lot of great scalability and flexibility.
"We are introducing with the E1080 a world record performance benchmark: the first system to hit 955,000 SAPS [on the SAP SD standard application benchmark] in an eight-socket system considerably more than that of an x86 alternative architecture, 2x per socket [and] up to 4x per core more capability with the E1080 [than Intel]."
Boosted per-core performance and more cores in a system means, IBM claimed, a big reduction in footprint and power draw. In a case study looking at an unnamed customer, the company claimed that 126 Intel-based Oracle database servers had been consolidated down to just three Power9-based E980s and was projected to drop to just two E1080s. As a result, what was 102kW of power draw is projected to drop to 20kW and the number of licences required drops from 891 with the Intel system to 263 with the E1080.
It's not just about performance, though. IBM claimed the E1080 and its Power10 chip add a wealth of security features including support for post-quantum cryptography, despite the NSA's uncertainty whether that's necessary.
An easier-to-sell feature: so-called "transparent" memory encryption. "What is great about this is it is encrypting information transparently without any performance overhead of the system," claimed Boday. "It's done through the hardware. And so we can actually scale this encryption to very large memory databases.
"As the information is encrypted, you [can] continue to do computational workload on it and not unencrypting it, with fully homomorphic encryption. This is all achieved through our 2.5x faster [AES cryptography] performance per core."
"Not only is there no performance impact whatsoever," claimed Satya Sharma, IBM Fellow and chief technology officer, "but there is no management setup required either. So this is what I mean by transparent memory encryption: it simply works. There is no user action required. There is no performance penalty and no management overhead."
Another key feature, and an indicator of where IBM sees the future of computation, is the integration of acceleration engines for artificial intelligence workloads: four Matrix Math Accelerators (MMAs) per core. "It provides 5x more inferencing performance than what we did in Power9," Boday claimed.
"This provides an alternative route to using separate GPUs as the in-core capabilities of the Power10, with the MMA engines we've embedded into it, allows our clients to do the computation work directly in [the] stream of data."
GPUs as AI accelerators aren't going anywhere any time soon, however. While the E1080 will happily run a workload, including those on the Open Neural Network Exchange (ONNX), the actual training is likely to take place elsewhere. "Many of the training environments do require GPUs," Sharma admitted, "But once the model is built, we are able to bring that model on Power10 and still provide high security and tight reliability."
There's a disparity in IBM's numbers on the AI front, though. At Hot Chips 2020, it boasted Power10 would offer up to 20x the inference performance of Power9 but it's launching the E1080 stating a (somewhat more sedate) fivefold increase.
"When we presented Power10 at the Hot Chips event, we talked about a 20x number and the 10x number," Sharma explained by way of addressing the gap. "Those numbers are still holding. We talked about a single chip module and a dual chip module.
"The dual chip module will deliver the 20x capability, like we talked about the Hot Chips event; the single chip module, which is what we are using in E1080 in a low precision [mode], which as most of the you know quite a bit of the AI world is in the low precision mode, there we are going to deliver 10x capability. So this 5x is a high precision [mode] proof point we are still consistent with what we had talked about at Hot Chips.
"This trend towards on-processor AI is actually a broad trend in the industry," Sharma continued. "[IBM] Z [mainframes] announced it. We, of course, covered it at the Hot Chips event when we did Power10. There's a clear trend in the market, and that's going to increase the pervasiveness of AI from the business application standpoint."
The Power10 chips aren't the only new hardware to be found in the E1080. IBM is also launching a new type of memory, designed to improve reliability by taking advantage of Power10's Open Memory Interface (OMI) architecture. "Instead of using the industry-standard DIMMs, which almost all of the x86 world uses," Sharma said, "in Power10 we are using OMI-attached... we, sort of informally, call them DDIMMS.
"These are buffered DIMMS. And we are able to isolate any DIMM failures within the buffer DIMM instance itself, so it causes fewer system outages compared to the x86 world. This is becoming extremely critical in these in-memory [database] configurations."
On the software side of things, IBM had words of reassurance for its independent software vendor (ISV) ecosystem: everything should work as before. "Power10 has a Power9 and a Power8 compatibility mode," Sharma said. "So you can essentially run a virtual machine in that mode, and then all of your software, whether it's ISV software, or customer software, or operating systems for that matter, all of it can be brought forward.
"At the same time, even in Power10 mode, we have a binary compatibility guarantee. So, the entire ISV ecosystem that we have built over the decades is going to be able to come forward to Power10."
Orders for the E1080 are open now, price-on-application, with shipments expected to begin before month's end. Interested parties can find out more on IBM's website.
See the original post here:
IBM's first 7nm Power10 chip arrives in E1080 server system with a wealth of shiny features - The Register
The adoption of multi-cloud drives the need for better data protection and management of encryption keys an… – Security Boulevard
Enterprise adoption of multiple cloud platforms continues in earnest, whether its aimed at improving collaboration, reducing data center footprint, increasing customer response times, or any number of other business goals. As organizations advance their multi-cloud strategies, they are tasked with applying consistent security configurations across workloads and applications. They must also implement data protection that addresses todays threat vectors and aligns with stringent compliance and audit requirements.
Encrypting cloud data is essential to protecting sensitive information and workloads but it needs to be done correctly to be effective and meet compliance mandates. A recent report from Forrester, Best Practices: Cloud Data Encryption, articulates several important recommendations, notably:
These security measures are critical to protecting your cloud data and workloads, and its vital to get them right from the outset.
Multi-cloud computing is here to stay and so are the complexities associated with protecting your data and workloads.
Administrative challenges of managing cloud environments
While cloud service providers continue to enhance their built-in security capabilities, the teams tasked with managing cloud environments face a constant battle to fine-tune their configurations and permissions. As exemplified by numerous data breaches over the past few years, misconfigured cloud storage settings are a common, yet often unidentified, trouble spot.
Each cloud platform is unique and, even if you manage to get a handle on who has access to which data and workloads, keeping up with providers updates and new controls requires constant vigilance. And as the shortage of skilled security professional persists including those with expertise working across multiple cloud platforms these challenges arent going away.
Demonstrating compliance
Identifying and implementing the right security controls is one challenge, while demonstrating compliance with data privacy regulations and industry mandates is another. Security teams cite specific concerns about being able to verify controls and how to report compliance in an auditor-approved format.
As compliance and audit requirements continue to get more stringent, nearly every enterprise is now subject to at least one mandate that calls for the use of data encryption. And as the Forrester report discusses, data encryption is a must-have for cloud workloads. This necessary security measure comes with its own administrative upkeep that can be difficult to handle without the right tools in place.
Cloud data encryption: Getting it right
Workloads go through many lifecycles, from staging to deployment to backup, and eventually have to be securely decommissioned. Each stage poses different risks of potential data theft or other misuse. Managing workload encryption from each clouds management platform is complex and further increases the risk of inconsistent policies and mistakes.
Additionally, an encryption strategy that aligns with compliance mandates requires robust key management. Unfortunately, key management is not universal across cloud platforms so the security team must contend with key storage, distribution, rotation, and revocation in multiple environments.
Whats more, when encryption keys are not completely separated from the workloads and data they protect, the potential exists for a security incident that compromises both, leaving data exposed to a breach. Best practices call for the use of certified HSMs to protect your encryption keys.
Entrust can help
Entrust offers a robust set of security solutions to help you protect workloads and data across your multi-cloud infrastructure, including enhanced protection of your encryption keys that supports compliance with data privacy mandates.
The post The adoption of multi-cloud drives the need for better data protection and management of encryption keys and policy controls appeared first on Entrust Blog.
*** This is a Security Bloggers Network syndicated blog from Entrust Blog authored by Jim Delorenzo. Read the original post at: https://blog2.entrust.com/blog/2021/08/the-adoption-of-multi-cloud-drives-the-need-for-better-data-protection-and-management-of-encryption-keys-and-policy-controls/
Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? – Analytics Insight
Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software?
Cyberattacks are increasing every day. Thats why people use encryption software to safeguard their data from threats. Nearly everybody utilizes cloud storage administrations like Dropbox, Google Drive, or OneDrive, however, they dont ensure additional security to your data. It is important to add more layers of safety to these storage services. This is the place where Cryptomator and Boxcryptor enter. Best known for adding secure encryption to your cloud information. Cryptomator and Boxcryptor are two best encryption software used to perform encryption on the records before it is sent to the cloud. This way, the information in the document is protected from any type of cyberattack.
But when it comes down to Cryptomator and BoxCryptor, which one is the best encryption software?
Cryptomator is one of the numerous TrueCrypt forks in Git that positions among the best TrueCrypt options. Cryptomator does not have certain elements like Boxcryptor, however, it compensates with its fantastic multi-usability and robust security. Assuming you need free encryption software, Cryptomator is intended for you. Dissimilar to Boxcryptor, Cryptomator is completely free. You can decide to give it to the organization, however, its not required.
Cryptomator is not difficult to utilize; but free things do come with certain limitations, especially when it comes to features. The full-disk encryption might be missing in Cryptomator, but as far as free file encryption goes, Cryptomator is difficult to beat. Where Cryptomator gives you open-source, private, end-to-end encryption and over 20 supported cloud services, there are certain drawbacks like no sharing functionality and no contract options.
Where you find almost every software for free in a market of encryption software, Boxcryptor adopts a more flighty business strategy. Boxcryptor is a weighty software with lots of components but it may seem to be firm. It compensates for some credits in the isolated framework that works in each situation in a cyberattack.
Software is available at an affordable price and its cost-friendly subscription plan does not put a burden on your pocket. Boxcryptor can be utilized free if only one cloud administration is utilized to access two gadgets for one account. Boxcryptor makes a statement with its accessibility and UX. It takes whats typically a specialized and complex piece of programming or procedures and makes it easy to understand.
Hassle-free sharing that supports more than thirty cloud companies integration (something that lacks in Crypotmator), but you can also share encrypted files directly. The end client will need a Boxcryptor account to get to the encrypted information. Since Boxcryptor upholds a restricted free plan, sharing individual information isnt an issue.
What are the major differences between Cryptomator and BoxCryptor?
Dropbox, OneDrive, Google Drive, and WebDAV-based cloud storage are supported cloud providers for both Cryptomator and Boxcryptor. All though Boxcryptor supports over 30+ cloud service companies in total, such as iCloud and SharePoint.
Cryptomator: The information stored in the encryption vault is then consequently scrambled. The client can determine the area of the vault, for instance, a cloud supplier.
Boxcryptor: Here, each record is scrambled independently. In this way, if a document is changed, the entire substance need not be re-encoded and synchronized similarly as with numerous other encryption tools however, Boxcryptor can change just that specific record.
Cryptomator: In Cryptomator, you can impart documents to other Cryptomator clients by giving them admittance to your vault by sharing your password.
Boxcryptor: In Boxcryptor, clients can share singular documents safely and explicitly through email addresses, like Dropbox and the standard cloud suppliers. Still, the beneficiary needs to make or have a Boxcryptor account (i.e., free to utilize)
Account Security and Language Options
Cryptomator currently does not offer 2-factor authentication and it is available in many languages like English, German, Dutch, Russian, and Chinese.
Boxcryptor: Boxcryptor offers 2-factor authentication (2FA) with Authenticator Apps (TOTP) on all platforms and it is available in languages like English, German, French, Italian, Spanish, and Russian.
In conclusion, Boxcryptor and Crytomator apply to any individual who needs to protect their records or information on cloud storage. These two programmings are implied for security concerned people as well as for any individual who wants to ensure information, whether in their smartphone, desktop, or cloud. The utilization of both these encryption tools is boundless. Data encryption is the selective reason for these two cloud encryption devices. Boxcryptor and Cryptomator are utilized to guarantee the information has remained safe in the cloud.
This load of components has been made conceivable because of their most recent AI-drove cybersecurity with cutting-edge encryption advancements. The data encryption qualities given by the two encryption tools are hearty. So, both encryption software has certain limitations but are the best when it comes to protecting your data.
Share This ArticleDo the sharing thingy
Visit link:
Cryptomator Vs. BoxCryptor: Which One Is The Best Encryption Software? - Analytics Insight
Why you should encrypt your data on your computer and how to do it – The Star Online
In the face of identity theft, online threats related to viruses and other ransomware, it is important to protect your personal data on your computer. The most effective way to do this is to encrypt the data, which is easy to do on both Windows and MacOS.
Data encryption: essential...
Encrypting your data is essential if you dont want a third party to get their hands on it. Hackers can indeed copy your data and even block access to it remotely. And keep in mind that even data that has been deleted can be recovered by ill-intentioned people.
Whether its sensitive (administrative documents, medical files, private photos, etc) or not, data must be encrypted to prevent it from falling into the wrong hands one day. A properly encrypted hard disk is completely unreadable by anyone who does not have the decryption key, usually the administrators password. Once encrypted, the data becomes truly private and cannot be read properly.
... and easy!
Encrypting your computer is relatively simple, whether you have a PC running Windows or a Mac running macOS. If not proposed by default, encryption is relatively simple to activate on a recent machine.
Under Windows, you have to connect to your Windows administrator account then go to the Settings of your computer. Then you have to select Update & Security and activate Device encryption. If this feature does not appear, you have to type Manage BitLocker in the search field of the taskbar, open it, then Enable BitLocker.
On a Mac, you need to go to System Preferences and then go to the FireVault tab in Security & Privacy. To activate this option, click on the lock icon and enter your administrator name and password. From then on, the encryption operation will take place in the background, without the user noticing anything. Note that Apple provides you with a backup key if you ever lose your password.
Check out our other tips on how to choose the right password, boost your WiFi connection and secure your connected devices. AFP Relaxnews
See the original post:
Why you should encrypt your data on your computer and how to do it - The Star Online