Cloud Hosting

The actual number of chat messages sent each day is hard to come by, but with WhatsApp alone accounting for billions of users, you can imagine the sheer volume of ongoing conversations.

Not all of those messages involve anything particularly sensitive or private, but a lot of them doand you dont want those chats to be seen by anyone other than the intended recipients.

Good messaging hygiene might involve changing apps or tweaking a setting, but its important that you dont neglect it. These five recommendations can get you started.

Switch to End-to-End Encryption

When instant messenger chats are end-to-end encrypted, theyre essentially turned into impenetrable blocks of data. Only the devices of the person (or people) youre chatting with have the codes to unlock that data, which ensures no one else can read your messages while theyre in transit.

Not even the developers behind the software youre using can unlock that data, so if an unscrupulous employee wanted to take a peek at your chats, they wouldnt be able to. If law enforcement requested copies of the conversations, there wouldnt be anything useful to hand over to them.

Some instant messengers use end-to-end encryption, but not all of them do. End-to-end encryption is deployed by default for Signal, WhatsApp (for personal chats,) iMessage, and Google Messages (with RCS enabled.) Its also available as an option on Facebook Messenger and Telegram. If youre using anything else, check the providers policies and consider switching to something more secure.

Facebook Messenger lets you set messages to disappear.

Turn On Disappearing Messages

We mentioned that Facebook Messenger has the option of end-to-end encryption: To enable it, you need to make a conversation secret by tapping the info (i) button at the top of a chat in the mobile app, then choosing Go to secret conversation.

Once youre in that secret conversation, another feature becomes available: Disappearing messages. Tap the info button again and pick Disappearing messages, then choose how long messages should stick around after being read. This way of tidying up after yourself protects you against someone reading through your chats if they gain access to them or physical access to your device.

Facebook Messenger isnt the only app that offers this functionality: You can also find disappearing messages in WhatsApp, Signal, and Telegram, among others. On iPhones, you can delete older conversations in the Messages app after choosing Messages and Keep Messages from Settings.

Lock Individual Conversations

To avoid an unwelcome visitor gaining access to your phone and all of your chats, one of the best things you can do is lock some or all of those chats behind a passcode or other locklike the protection on your phones lock screen.

WhatsApp makes this simple. You can lock the entire app via the Privacy menu in the app settings, or you can lock individual chats: Open the chat, tap the conversation name at the top of the screen, and then pick Chat lock. The options here will depend on the options on your phone (such as fingerprint lock and face recognition).

See more here:
5 Ways to Make Your Instant Messaging More Secure - WIRED

A ransomware gang known as Cl0p has found and exploited vulnerabilities in several file-transfer tools, including Fortras GoAnywhere, Accellions file transfer appliance (FTA), and Progress Softwares MOVEit. Though known as a ransomware group, they seem to be skipping the part where they encrypt the victims data and are simply extorting based on releasing the sensitive data to the public. Cl0p has claimed to compromise over 130 organizations, including governments, universities, healthcare, airlines, media, and financial institutions1. This list could be even worse, given many of the breached organizations are vendors. For example, one primary victim using MOVEit was Zellis, a human resources software maker, whose breach included payroll data for British Airways2. Another example is Guidehouse, which uses Accellions FTA and is a vendor for Morgan Stanley, the investment banking firm. Morgan Stanley has confirmed that documents with customers personally identifiable information (PII) were stolen3 due to a breach related to Guidehouse.

Security Measures Bypassed

One thing that stands out in these attacks is how several traditional security measures had to fail for the data to be stolen.

1) Unnecessary exposure to the Internet

Though the vulnerabilities of the three file-transfer vendors vary in the details, they are all remote execution bugs that should have been mitigated by avoiding exposure to the internet. However, researchers were able to use Shodan (a free internet search tool that can find publicly exposed databases and servers) to find thousands of MOVEit2 and GoAnywhere4 servers that were exposed to the internet. There is a constant stream of news about compromised servers, databases, and object stores (like AWS S3 buckets) that victims had assumed did not have internet access. While numerous security posture management tools are coming to the market to identify vulnerabilities such as this, they dont fix or address the vulnerability (its the companys responsibility to do that).

2) Keep all software fully patched

Another common security measure is to keep all software fully patched. This is absolutely required, however, when vulnerabilities are newly discovered (known as zero-day vulnerabilities) there is often no patch available. In the cases of MOVEit (CVE-2023-34362) and GoAnywhere (CVE-2023-0669) the first number of the CVE is 2023, meaning they were just reported in 2023. The Cl0p gang discovered the vulnerability and exploited it before the vendors could create a patch. The same cant be said for the Accellion vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) that have been known since at least 2021 and CISA even listed them in the Top Routinely Exploited Vulnerabilities of 20215.

3) Stop using unsupported software

Accellion FTA brings up another missed security measure and that is to not use unsupported software. Accellion FTA is a 20-year old product that went end-of-life April 30, 2021 and replaced by modern and more secure platform, Kiteworks6.

4) Key management, where and how the data is encrypted

In the Morgan Stanley case mentioned above, the stolen data was encrypted, but the decryption keys were stolen as well. It is important to ensure the encrypted data is kept separate from the keys.

5) Protect data when its accessed (data in use), as well as data at rest and data in motion

Finally, all of these file-transfer tools encrypt the data in-motion (as it is being transferred) using TLS/SSL or SFTP protocols. However, the data is not being stolen while it is moving over the internet, rather the tools themselves are used to pull data from the source, where it is usually not encrypted. Even if the data is encrypted in a database or object store using transparent data encryption (TDE) or full disk encryption (FDE), this only protects against the hard drives being physically stolen and doesnt help with remote attacks.

Baffles Solution

Baffle Data Protection Services for Object Stores provides the ability to encrypt files from any S3, Azure blob storage, SFTP or HTTPS source to any other destination using the same protocols. Entire files, elements of files (CSV, JSON, XML), or regex matches of text files can be encrypted using traditional AES encryption or format preserving encryption. Every tenant (user or service account) may be assigned their own keys for further data isolation.

Figure 1. Baffle for Encryption of data-at-rest/ingestion

Another instance of Baffle is deployed at the receiving end of the file transfers to protect the data to the point of use (figure 2). To keep the encryption keys separated from the data, Baffle implements envelope encryption and therefore never has access to the key encryption keys (KEK). The KEKs in-turn are kept by a customer-managed key management service (KMS) and ultimately on a hardware security module (HSM) to protect from physical and remote attacks. Role-based access controls for each Baffle instance ensure decryption according to each users need to know. By encrypting the data from end-to-end, (data-at-rest, through the pipeline, and to the final user), the sensitive information is protected even if the database or file transfer tool is compromised.

Figure 2. Baffle for Encryption until the data is used

Conclusion

Defense-in-depth is a concept that has been around for a long time, but this incident is a reminder that it is still relevant today. While all the other security measures are important, if end-to-end encryption is implemented and the hackers still manage to get the files, they are worthless. From PCI-DSS to GDPR, strong encryption and key management is recognized by all the major security and privacy standards for protecting data even when the ciphertext is accessed. This is the value of data-centric protection and it virtually eliminates the impact of data breaches.

Learn More

To see a demo of data masking and discuss your data protection concerns, please schedule meeting with Baffle.

References:

1New victims come forward after mass-ransomware attack | TechCrunch2Microsoft says Cl0p ransomware gang is behind MOVEit mass-hacks, as first victims come forward | TechCrunch3The Accellion data breach continues to get messier | TechCrunch4The GoAnywhere data breach explained | ITPro5Top Routinely Exploited Vulnerabilities | CISA

The post A look into the file-transfer attack (and how to protect your data) appeared first on Baffle.

*** This is a Security Bloggers Network syndicated blog from Baffle authored by Billy VanCannon, Director of Product Management. Read the original post at: https://baffle.io/blog/a-look-into-the-file-transfer-attack-and-how-to-protect-your-data/

Go here to see the original:
A look into the file-transfer attack (and how to protect your data) - Security Boulevard

From Silverman v. Ariz. Health Care Cost Containment Sys., decided Thursday by the Arizona Court of Appeals (in an opinion by Chief Judge Kent E. Cattani, joined by Judge Cynthia J. Bailey and Vice Chief Judge David B. Gass):

This public records case presents a narrow issue of potentially broad import. Arizona law does not require a public entity to create any new record in response to a public records request. But does using encryption to redact non-disclosable information stored in an electronic database necessarily constitute creation of a new record? We hold that it does not.

This concept is particularly important in a case like this one, in which the public entity uses non-disclosable data as a critical part of its database structure (as the relational keys linking different tables). Thus, requiring the agency to use a one-way cryptographic hash function to redact the non-disclosable datasubstituting a unique hashed value that masks protected information without destroying its function in the databaseis necessary to ensure a requestor receives, to the extent possible, a copy of the real record.

And because such encryption only hides a limited aspect of the recordwithout adding to, aggregating, analyzing, or changing any of the underlying informationit does not create anything new and does not result in the creation of a new record. Accordingly, and for reasons that follow, we reverse the superior court's dismissal of the journalists' public records lawsuit at issue here and remand for further proceedings consistent with this opinion.

The Arizona Health Care Cost Containment System("AHCCCS") oversees the Arizona Long-Term Care System("ALTCS"). Appellants Amy Silverman, Alex Devoid, and TNI Partners (d/b/a Arizona Daily Star) are journalists researching issues related to services for Arizonans with developmental disabilities, including those services provided by ALTCS. Appellants are seeking public records from AHCCCS to learn what factors affect eligibility decisions during the ALTCS application and screening process.

In February 2020, Appellants submitted a public records request for data in AHCCCS's databases for multiple categories of information provided in or related to ALTCS applications. Appellants acknowledged that healthcare-related information would have to be de-identified to comply with privacy rules under the Health Insurance Portability and Accountability Act ("HIPAA"). Noting that the requested data might be contained in multiple tables, Appellants requested that, for de-identified data, AHCCCS "include a unique identifier, such as a hash key, to replace" information necessary to distinguish different individuals' records. Appellants' request expressly did not ask AHCCCS to "join tables together or to conduct any type of analysis on the data," provided any existing relational keys remained intact.

Appellants eventually sued under the Arizona public records act, and here's how the court of appeals analyzed this:

Under Arizona law, "[p]ublic records and other matters in the custody of any officer shall be open to inspection by any person at all times during office hours." This statutory mandate reflects Arizona's strong presumption in favor of open government and disclosure of public documents. Public policy favors subjecting agency action "to the light of public scrutiny" and ensuring that citizens are "informed about what their government is up to."

A requestor is generally entitled to review a copy of the "real record," even one maintained in an electronic format, subject to redactions necessary to protect against risks to privacy, confidentiality, or the best interests of the state. Thus, upon request, a public entity must search its electronic databases to identify and produce responsive records. But the entity need not tally, compile, analyze, or otherwise provide information about the information contained in existing public records, which would in effect create a new record in response to the request. Nor is the entity required to compile the data in a form more useful to a requestor.

Using a one-way cryptographic hash function to substitute a unique hashed value for protected information does not add to or change any of the underlying information (much less aggregate or analyze the data); it just hides a limited aspect of it. Redaction-by-encryption does not create anything new, but rather represents a better-tailored redaction process that eliminates only information that is in fact protected.

We acknowledge that redaction-by-encryption is different than traditional redaction-by-deletion (or redaction-by-obscuring-text-behind-a-black-box), and it may only be feasible in the context of electronically stored records. But when public records are stored in that format, differences occasioned by newer forms of data storage may call for differences in how the data is disclosed. For example, embedded metadata is an inherent part of a public record maintained in an electronic format, even though such metadata was nonexistent and effectively meaningless for the same record stored on paper. Accordingly, applying redaction-by-encryption as a more tailored form of redaction (even if made possible only by electronic storage) serves to ensure that the requestor receives access to the "real record" to the greatest extent possible.

The most analogous authority construing the federal Freedom of Information Act ("FOIA") bears this out. [Details omitted. -EV]

We note that redaction-by-encryption does not entitle Appellants to anything more than the public record as it actually exists.

Accordingly, to the extent the tables and fields in the existing databases (pre-redaction) are not in fact linkedand the record is not clear on that issueAHCCCS is not required to create new links to serve Appellants' purposes. But to the extent the links exist pre-redaction, all Appellants' complaint seeks, and what they are potentially entitled to, is preservation of those links that form part of the "real record."

To be sure, the journalists' request may ultimately prove unduly burdensome given the scale of data involved, and redaction (by encryption and otherwise) may ultimately prove insufficient to adequately anonymize the data given the type of data requested. But those questions require evidentiary development and must be considered on their facts, not as questions of law.

Plaintiffs are represented by Arizona State's First Amendment Clinic, and in particular by attorneys Jake Karr (who orally argued the case, and who's now at the NYU Technology Law & Policy Clinic), Gregg P. Leslie, and Zachary R. Cormier, and law students Jack Prew-Estes, Jake Nelson, Maria McCabe, and Vanessa Stockwill.

Read more from the original source:
Interesting Public Records Act Case - Reason

How data moves so quickly between clouds, data centers and jurisdictions is abundantly clear. One of privacy professionals' tasks is to consider the current progress of the technology.

In this data-driven economy, privacy pros, architects, data scientists, engineers, researchers, regulators and industry groups should focus their attention on technologies that protect privacy and support security principles without losing the utility and functionality of the data: so-called privacy-enhancing technologies.

This topic has become a global trend, with increased attention from regulators and public authorities worldwide. Recently, the principle of privacy by design and by default consecrated in the EU General Data Protection Regulation has been recognized as an ISO standard. On 31 Jan., the International Organization for Standardization published ISO 31700, "Consumer protection Privacy by design for consumer goods and services." It features 30 requirements for embedding data privacy into consumer products and services.

From a lawyer's perspective, working in the privacy domain for several years, PETs are an interesting landscape to explore and are full of potential, but not exempt from challenges, and legal and practical considerations in day-to-day operations.

PETs are not a new concept. Some of them are market-ready, like differential privacy, while others are still not used in practice because they are expensive and require experts to implement them, like homomorphic encryption and secure multiparty computation. Other solutions, such as secure enclaves are in the middle, as they receive attention for cloud support. Synthetic data has received incredible attention lately, in the context of OpenAI's ChatGPT, for training and validating artificial intelligence systems.

When a company decides to invest in one of those solutions, there are different factors to consider, including the type and volume of data to be processed, expected outcome, implementation and cost, the number of parties providing input to the computation, and the maturity of these tools for the given use case.

Each of these PETs presents different challenges and vulnerabilities, irrespective of the cost and the expertise required for the implementation. It is worth analyzing some of these solutions.

Differential privacy is achieved by injecting noise into a data set. The introduced noise is capable of protecting privacy while still providing useful information, without divulging personal data. This solution has been implemented in statistics and analysis. However, there are some concerns in terms of output accuracy, which are linked to different factors, such as the volume of the data in the data set, amount of information released and number of queries made on that pool of data.

Homomorphic encryption allows computational operations on encrypted data without disclosing the result. Using this solution, data is encrypted at rest, in transit and in use, and only the party providing the data owns the key to decrypt the output. This solution is not exempt from limitations due to its high computational cost, the specific knowledge required and the fact that the majority of homomorphic encryption schemes provide input privacy only for a single party because there is only one decryption key.

The fully homomorphic encryption solution has been tested for some use cases, like improving collaboration for combatting financial crime and, in the payment card industry sector, fighting attacks by RAM-scraping malware against merchant's point of sale.

With the echo created by ChatGPT, and the privacy concerns linked to the use of generative AI, it is worth mentioning the use of synthetic data as a way to work around the data privacy and security challenges raised by using AI tools. Synthetic data is a powerful tool in the development and testing of AI. Synthetic data can be artificially produced by a generative model to mimic real data sets with the same statistical properties as the original, enabling companies to create a large amount of training data

However, in this context of using synthetic data for training AI systems, synthetic data does not overcome the main concern about bias in the source data and risk for reidentification.

Reaching a legal assessment on PETs is complex due to the lack of regulations, guidance supporting the deployment of new technologies, business cases for adopting PETs and expertise in cryptography techniques, which can lead to making mistakes during the implementation phase.

However, a wide variety of initiatives on PETs are ongoing throughout the world, with the aim of promoting innovation through research and technology development, regulatory sandboxes and use cases to show how PETs can enhance businesses.

In exploring some of the initiatives underway, it is worth mentioning the Royal Society in the U.K. issued an exhaustive report: "From privacy to partnership: the role of Privacy Enhancing Technologies in data governance and collaborative analysis." The purpose is to evaluate "new approaches to data protection and collaboration, encouraging further research in and testing of PETs in various scenarios."

In Singapore, the Infocomm Media Development Authority, in collaboration with the Personal Data Protection Commission, launched Singapore's first PET Sandbox on 20 July 2022 for companies who wish to experiment with PETs, to work with PET solution providers to develop use cases and testing ground to pilot PETs.

In July 2022, the U.K. and the U.S. launched a set of prize challenges to drive innovation in PETs to reduce financial crime and respond to public health emergencies. The goal of this initiative was to provide the opportunity for innovators from academia, institutions, industry and the public to design one technical solution. For the first stage of the competition, teams submitted white papers describing their approaches to privacy-preserving data analytics. In the second stage, they focused on solution development and submitted code for testing their solutions on a platform. In phase three, independent "red teams" executed privacy attacks on the solutions developed in phase two. The winning teams were selected based on attacks by red teams and evaluated by a panel of PETs experts from government, academia and industry.

In February 2022, the U.K. Department for Business, Energy and Industrial Strategy created a project called "PETs for Public Good." As part of the project, the U.K. Information Commissioner's Office ran a series of workshops with organizations in the health sector, academics and privacy that focused on how PETs can facilitate data sharing in health and testing these technologies.

I trust regulators will publish official guidance and codes of conduct about the use of PETs, clarify how the use of those technologies can help to enable and satisfy regulatory compliance, define a standard approach on the adequacy of PETs for a given use case, and issue a clear position around the definitions of deidentification, anonymization and pseudonymization of data. The latter represents one of the main challenges for lawyers and technical teams, expanded by the fact that the terminology is often inconsistent across different jurisdictions.

After the cloud era and all the challenges posed by using the cloud, I expect large companies will start to evaluate the use of PETs in secure cloud infrastructures, while considering the probability of deidentification and reverse engineering.

Continue reading here:
Leveraging technology and innovation to ensure privacy - International Association of Privacy Professionals