Page 4,406«..1020..4,4054,4064,4074,408..4,4204,430..»

Keeping the enterprise secure in the age of mass encryption – Information Age

April 9, 2017 | Author: admin

By automatically discovering every key and certificate generated by your organisation as they are created, and integrating this data into security tools, you can finally shine a light on encrypted tunnels

Organisations have always been told that strong encryption is their friend. When applied to internet traffic, encryption secures the connection between user and website, locking the bad guys out and foiling the hijackers attempting to spoof legitimate sites or eavesdrop on communications.

So when Mozilla recently revealed that the majority of web pages loaded by Firefox used the secure HTTPS protocol, it seemed like a good news day for information security. Naturally, the story is far more complex than that.

The truth is that the hackers are getting increasingly adept at hiding in these encrypted tunnels which disguises their attacks from even the best defences. For example, roughly 90% of CIOs have already been attacked, or expect to be, by hackers hiding in encrypted traffic.

>See also:Enterprises using IoT arent securing sensitive data Thales

Businessesurgently need to improve their management of encrypted tunnels, or they risk compromising the effectiveness of our cyber security defences. But for that to happen, organisations must first gain visibility and control over their expansive estates of digital keys and certificates.

These keys and certificates are the cryptographic assets that form the foundation of encryption, allowing machines to identify each other in the same way usernames and passwords work for human users.

CISOs do not accept having limited visibility over identity and access management for all their users the same rigorous oversight needs to be extended to keys and certificates.

The growth of HTTPS is both a positive and negative thing. Encryption is the primary tool used to keep internet transactions out of the reach of prying eyes, and weve seen increased adoption over the past few years, partly driven by revelations of mass state surveillance exposed by NSA whistleblower Edward Snowden.

HTTPS protects the sensitive data of hundreds of millions of users around the world, offering protection against man-in-the-middle attacks and attackers looking to spoof trusted sites.

Encrypted traffic is beginning to become the norm, rather than the exception, and a survey from this years RSA Conference showed that this trend will continue: two-thirds (66%) of attendees said that their organisation is planning to increase encryption usage.

>See also:Who owns your companys encryption keys?

But what happens when a hacker manages to get into encrypted traffic? This is not a hypothetical problem a third (32%) of security professionals at RSA said that they are either not confident or have only 50% confidence in their organisations ability to protect and secure encrypted communications.

And once a hacker does get into encrypted traffic it will offer the same protections, but this time against the organisations security tools. Intrusion detection and prevention systems, firewalls and similar tools are rendered useless, unable to inspect the traffic going in and out of the organisation.

A hacker could hide malware or web exploits from these tools to launch an attack and then use the encrypted tunnel to ferry stolen data out again.

The problem ultimately boils down to the digital keys and certificates that form the Internets base of cyber security and trust. Today, this system is used to secure everything from online banking to mobile apps and the Internet of Things (IoT). Theres just one problem: our foundation is built on sand.

The volume of keys and certificates has exploded over recent years, thanks to virtualisation and the growth in mobile devices, cloud servers and now the IoT. Everything with an IP address depends on a key and certificate to create a secure connection.

>See also:Network security doesnt just begin and end with encryption

But organisations simply cant keep track of this explosive growth, often leaving them unsecured and managed manually. This has allowed cyber criminals to sneak in and use unprotected keys and certificates for their own ends.

The problem will only get worse as the number of IoT devices grows. Gartner recently claimed 8.4 billion connected devices will be in use globally by the end of 2017, up 31% from 2016, and reach a staggering 20.4 billion by 2020.

Additionally, half of the organisations Venafi polled last year said they saw key and certificate usage grow by over 25%. And one in five claimed it had increased by more than 50%.

As keys and certificates grow, so do the opportunities for the hackers. But there is hope. If were able to provide our security tools with the all-important keys, then they can open up and inspect encrypted traffic to ensure it doesnt contain anything malicious.

This is easier said than done; especially given the hundreds of thousands of keys and certificates a typical organisation must manage. New keys and certificates are retired and created every day.

What organisations need is centralised intelligence and automation system. This will ensure that all security tools are provided with a continuously updated list of all the relevant keys and certificates they need in order to inspect encrypted traffic.

>See also:Keys to the castle: Encryption in the cloud

By automatically discovering every key and certificate generated by your organisation as they are created, and integrating this data into security tools, you can finally shine a light on encrypted tunnels.

The result? IT leaders will not only benefit from improved resilience from cyber attacks, data breaches and the like, but also finally gain full value from their technology investments.

With encrypted traffic growing all the time and 85% of CIOs expecting criminal misuse of keys and certificates to get worse, businessescant afford to hang around.

Sourced byKevin Bocek, chief cyber-security strategist atVenafi

Nominations are now open for theTech Leaders Awards 2017, the UKs flagship celebration of the business, IT and digital leaders driving disruptive innovation and demonstrating value from the application of technology in businesses and organisations. Nominating is free and simply: just click here to enter. Good luck!

More here:
Keeping the enterprise secure in the age of mass encryption - Information Age

Read More..
Posted in Encryption | Leave a Comment

How have ARM TrustZone flaws affected Android encryption? – TechTarget

April 9, 2017 | Author: admin

Google received a lot of praise for the security improvements in Android N, but some security experts have taken...

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Google to task over what they claim are shortcomings with Android N encryption. What are the issues with Android N's encryption scheme?

Encryption is the cornerstone of information security, yet it is notoriously difficult to implement well, particularly on desktops and mobile devices used by non-tech-savvy users. Ease of use, speed and data recovery all need to be balanced against robust encryption.

The two main technologies for meeting these requirements are full disk encryption (FDE) and file-based encryption (FBE). FBE only encrypts selected folders or files, which remain encrypted until the user chooses to access them by providing the correct credentials. FDE encrypts the entire contents of a device's hard drive, so if the device is lost or stolen, or the drive is placed into another device, all the data remains protected. However, once a user unlocks their device, none of the data is protected, as the entire contents of the drive will have been decrypted. While desktop computers are regularly turned off, most mobile devices are left on indefinitely, leaving sensitive data decrypted and potentially accessible to unauthorized users.

Since Android version 5.0, Android devices have had FDE enabled by default. This is based on the Linux kernel subsystem dm-crypt, a widely used and robust encryption scheme. But, like every encryption scheme, it is only as strong as the key used to encrypt the data.

An independent researcher, Gal Beniamini, posted an exploit code that breaks Android's FDE on devices running on Qualcomm chips by leveraging weaknesses in the chips' design.

ARM TrustZone is a system-on-a-chip and CPU system-wide approach to security that supports a Trusted Execution Environment, backed by hardware-based access control, which cannot be interfered with by less trusted applications or the operating system.

Android's Keystore Keymaster module is intended to assure the protection of cryptographic keys generated by applications, and it runs in the ARM TrustZone. It contains the device encryption key (DEK) used for FDE, which is further protected through encryption with a key derived from the user's unlock credentials. This key is bound to the device's hardware through the intermediate Keymaster signature. This means all cryptographic operations have to be performed directly on the device itself by the Keymaster module, thus preventing off-device brute force attacks.

However, as the key derivation process is not truly hardware-bound, the Keymaster signature is stored in software instead of hardware, and is directly available to the TrustZone. This makes Android's FDE only as robust as the ARM TrustZone kernel or Keymaster module.

Beniamini's previous blog posts have shown that applications that run in the TrustZone in Android devices using Qualcomm chips can be reverse-engineered. By reverse-engineering the Keymaster module and leveraging two ARM TrustZone kernel vulnerabilities he discovered, Beniamini developed an off-device exploit to decrypt the DEK. No longer restricted to a limited number of password attempts, the user's credentials can be brute forced by passing them through the key derivation function until the resulting key decrypts the stored DEK. Once the DEK is decrypted, it can be used to decrypt the entire drive, breaking Android's FDE scheme. The attacker can also downgrade a patched device to a vulnerable version to extract the key.

This flaw makes Android's FDE implementation far weaker than Apple's, which has encryption keys that are properly bound to the device's hardware, and which are never divulged to software or firmware. This means an attacker must brute force an iOS user's password on the device. This requires overcoming the on-device protections, like delays between decryption attempts and wiping user data after so many failed attempts. Android devices, on the other hand, perform encryption using keys which are directly available to the ARM TrustZone software.

Poor implementation is usually the weak point in any encryption technology. While the two ARM TrustZone vulnerabilities used by Beniamini, CVE-2015-6639 and CVE-2016-2431, have been patched, many devices remain susceptible to the attack because they have yet to receive the patches. This is a constant problem that plagues Android devices due to restrictions and delays created by manufacturers or carriers that prevent end users from receiving or installing the updates they release.

Read about the new memory protection features in the Linux kernel on Android OS

Learn about the security features in the Samsung Knox platform

Find out the differences between symmetric and asymmetric encryption types

See the rest here:
How have ARM TrustZone flaws affected Android encryption? - TechTarget

Read More..
Posted in Encryption | Leave a Comment

Why isn’t US military email protected by standard encryption tech? – Naked Security

April 9, 2017 | Author: admin

One of the United States Senates most tech-savvy members is asking why much of the US militarys email still isnt protected by standard STARTTLS encryption technology.

Last month, Sen. Ron Wyden (D-Oregon) shared his concerns with DISA, the federal organization that runs mail.mil for the US army, navy, marines and the Coast Guard:

The technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet. STARTTLS is widely supported by email server software but, critically, it is often not enabled by default, meaning email server administrators must turn it on.

Wyden noted that major tech companies including Google, Yahoo, Microsoft, Facebook, Twitter, and Apple use STARTTLS, as do the White House, Congress, NSA, CIA, FBI, Director of National Intelligence, and Department of Homeland Security but not DISA.

A 2015 Motherboard investigation originally uncovered the limited use of STARTTLS by U.S. government security agencies. Since then, Motherboard reports, many of the aforementioned agencies have started using STARTTLS but not DISA.

Wyden observed that until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties.

Even if all the military messages sent through DISAs servers are unclassified, if Wyden is correct, this might conceivably give adversaries additional insights into the US militarys structure, decision-makers, and decision-making processes.

Early reports on Wydens letter quoted DISA as saying that it would respond formally to him. DISA told Naked Security:

We are not at liberty to discuss specific tactics, techniques, and procedures by which DISA guards DOD email traffic. Email is one of the largest threat vectors in cyberspace. We can tell you that DISA protects all DOD entities with its Enterprise Email Security Gateway Solution (EEMSG) as a first line of defense for email security.

DISAs DOD Enterprise Email (DEE) utilizes the EEMSG for internet email traffic and currently rejects more than 85% of daily email traffic due to malicious behavior. DISA inspects the remaining 15% of email traffic to detect advanced, persistent cybersecurity threats. The Agency always makes deliberate risk-based decisions in the tools it uses for cybersecurity, to include email protocols for the DoD.

In the news you can use spirit, this might be a good time for a brief primer on STARTTLS. This SMTP extension aims to partially remedy a fundamental shortcoming of the original SMTP email protocol: it didnt provide a way to signal that email communication should be secured as messages hop across servers towards their destinations.

Using STARTTLS, an SMTP client can connect over a secure TLS-enabled port; the server can then advertise that a secure connection is available, and the client can request to use it.

STARTTLS isnt perfect. It can be vulnerable to downgrade attacks, where an illicit man-in-the-middle deletes a servers response that STARTTLS is available. Seeing no response, the client sends its message via an insecure connection, just as it would have if STARTTLS never existed. But, as the Internet Engineering Task Force (IETF) puts it, this opportunistic security approach offers some protection most of the time.

IETF says protocols like STARTTLS are:

not intended as a substitute for authenticated, encrypted communication when such communication is already mandated by policy (that is, by configuration or direct request of the application) or is otherwise required to access a particular resource. In essence, [they are] employed when one might otherwise settle for cleartext.

For context, Google reports that 88% of the Gmail messages it sends to other providers are now encrypted via TLS (in other words, both Google and the other provider supports TLS/STARTTLS encryption); 85% of messages inboundto Gmail are encrypted.

Would STARTTLS offer value in securing the military communications DISA manages through mail.mil? From the outside, its easy to say Yes. But it sure would be fascinating to hear the technical conversation between DISAs security experts and Senator Wydens.

Email service providers are caught on the horns of a dilemma, it seems. Naked Securitys Paul Ducklin says:

STARTTLS only deals with server-to-server encryption of the SMTP part, so it isnt a replacement for end-to-end encrypted email in environments where thats appropriate.In other words, there are situations in which you may be able to make a strong case for not needing STARTTLS. But my opinion is that its easier just to turn on STARTTLS anyway just think of all the time youll save not having to keep explaining that strong case of yours.

As for you: if you arent using STARTTLS wherever its available to you, why not?

Read the rest here:
Why isn't US military email protected by standard encryption tech? - Naked Security

Read More..
Posted in Encryption | Leave a Comment

Majority of Nigerians Have Faith in Bitcoin: Survey – newsBTC

April 9, 2017 | Author: admin

A recent survey indicates that Nigerian trust Bitcoin more than gold when it comes investments. Read more...

Bitcoin is rightly deemed as the Digital Gold. The cryptocurrency, introduced to the world in 2009 has all the properties of gold, except for the weight and these features arent lost on the Nigerian cryptocurrency community. Bitcoin has a huge presence in African nations, and Nigeria is one such African country which recently ranked high in Google Trends for Bitcoin-related searches. The extent of faith in the cryptocurrency among the community is now known to the world, thanks to a recent survey conducted by Luno a cryptocurrency platform serving the region.

As a part of this survey, Luno sent a series of questions to all its Nigerian customers, and the results didnt come as a surprise. The report states that the trust factor in Bitcoin among Nigerians is at an all-time high, as over 59% of the participants in the survey responding positively to the cryptocurrency. The untrusting ones were about 17% of all survey respondents while the remaining preferred to be neutral.

One of the leading African tech magazines quoted a representative from Luno describing the survey process saying,

We shared a survey with our Nigerian customers which went out to all of our customers. We then reviewed the results for statistical significance, outliers, and errors and compiled the infographic from the data Note that it was only sent to Luno customers, so the data might be slightly skewed towards our customer preferences (as opposed to all Nigerian Bitcoin users), but we enjoy the highest trading volume of Nigerian Bitcoin exchanges as per publicly available volume data so it should be somewhat similar across the board. We aim to do much more research and share the results with the media and Bitcoin community in the coming months.

While the results may not be 100% accurate as those participating in the survey were already onboard Luno platform, which makes them existing cryptocurrency users, potentially having a biased opinion towards their favorite digital currency. Also, many of these respondents were found to be in favor of purchasing Bitcoin over gold as they expect the cryptocurrencys value to appreciate much faster than that of the yellow metal.

The results of the survey were published by Luno in the form of an infographic, along with a promise to provide more information as soon as it finishes in-depth research and analysis of not just the platforms users but other individuals as well.

Read the original:
Majority of Nigerians Have Faith in Bitcoin: Survey - newsBTC

Read More..
Posted in Bitcoin | Leave a Comment

No, you can’t avoid taxes by investing in Bitcoin – New York Post

April 9, 2017 | Author: admin

If you think investing in bitcoin or a similar crypto-currency may be a good method for hiding income from the tax man, youd better think again.

While many bitcoin aficionados tout the new virtual currency as a promising alternative to so-called fiat currencies like the US dollar, the IRS considers investments in bitcoin as property deals requiring that capital gains or losses in this usually volatile medium of exchange be considered like stocks or bond sales and reportable on Form 8949.

But compliance with this requirement is virtually nonexistent, at least if you go by numbers reported by the IRS.

The agency began going after Coinbase, the largest bitcoin exchange operating in the States, in November 2016, requesting that the San Francisco-based company turn over data and complete transactions on every one of its more than 14 million accounts from 2013 to 2015.

But in court papers filed by the IRS this month after Coinbase refused to honor the request, complaining that it was overly broad the tax-collecting agency reported that only 802 individuals reported a transaction on Form 8949 using a description likely related to bitcoin for 2015, the most recently concluded tax year. And this is apparently no fluke, with only 807 of the Form 8949s filed for 2013 and 893 for 2014.

This low level of reporting occurred during the same period (2013-2015) that the value of the currency (in dollars) went on a bumpy ride, skyrocketing from less than $20 to more than $1,100, presumably generating significant capital gains for many investors.

In my view, 800 reports per year of profits and losses in virtual currency transactions is ridiculously low, says Martin Mushkin, an attorney specializing in bitcoin law.

The publicity given to this proceeding now and the forthcoming enforcement actions would result in a substantial amount of tax collections, he adds. The anonymity of bitcoin should not be allowed to foster tax evasion.

Coinbase, for its part, blames the IRS itself for this underreporting, and its chief executive has called for creation of a Form 1099-B to be issued to each of its clients participating in a potentially taxable transaction a proposal that the IRS has called low priority because of cuts to its budget.

Were very serious about complying with the laws and we actually support the idea that people who ought to pay their taxes do so, says Michael Lempres, Coinbase chief legal and risk officer. But the demand for three years worth of transactions conflicts with privacy interests.

Mushkin and others familiar with the case say they expect Coinbase to cut a deal with the IRS. I suspect that, as we speak, Coinbase is preparing an answer to the anticipated Order to Show Cause and negotiating the terms of the summons, he says. The papers show the parties have been talking, and Coinbase will try to cut this down.

Coinbase is already registered with FinCEN, the Treasurys Financial Crimes Enforcement Center, obliging the exchange to report transactions in excess of $10,000 per day and suspected transactions to be structured to avoid the $10,000 reporting threshold (such as multiple $9,750 transactions). The Coinbase response, Mushkin predicts, will be to initially limit the subpoena to FinCEN reporting accounts and smaller accounts with large turnover volumes.

Read more from the original source:
No, you can't avoid taxes by investing in Bitcoin - New York Post

Read More..
Posted in Bitcoin | Leave a Comment

Bitcoin Unlimited vs Extension Blocks The Merkle – The Merkle

April 9, 2017 | Author: admin

Earlier this week, a new bitcoin scaling proposal has started gaining some traction. Extension blocks, as this concept is called, aims to provide an alternative solution to Segregated Witness and Bitcoin unlimited. What is rather interesting is how this solution draws some parallels with SegWit, yet it is very different from Bitcoin Unlimited. Now is a good time to check how both solutions compare to one another.

Most cryptocurrency enthusiasts are well aware of what Bitcoin Unlimited proposes. People supporting this bitcoin scaling solution acknowledge there is a growing need for much larger network blocks. While SegWit also acknowledges that need, it proposes a smaller increase compared to that of Bitcoin Unlimited. BU envisions a 2MB block size increase in the short term, which is then increased exponentially as time progresses.

However, Bitcoin Unlimited would effectively serve as a hard fork, whereas SegWit is a soft fork solution. A hard fork is irreversible and requires everyone on the network to upgrade their client. Moreover, Bitcoin Unlimited seemingly puts more power into the hands of the miners, which eventually leads to centralization. Not necessarily a positive development, especially when considering their software seemingly hasnt gone through QA at this stage.

Moreover, it appears the economic majority is not in favor of Bitcoin unlimited by any chance. A few bugs discovered in the BU source code are not helping matters either. Right now, it is doubtful this solution will activate on the main bitcoin network. Bitcoin Unlimited may continue to exist as an altcoin in the future, though. Only time will tell what will happen to BU, as all possibilities are still on the table.

Unlike Bitcoin Unlimited, Extensions Blocks is a proposal that can seemingly coexist with how Bitcoin Core developers envision the future of this popular cryptocurrency. Bitcoin Unlimited has no support for the Lightning network, whereas Extension Blocks does. Moreover, Extension Blocks addresses the malleability fix similarly to how SegWit should solve this problem yet it also allows for a block size increase along the lines of what BU supporters want to see.

To achieve this goal, Extension Blocks will use an opt-in second layer for an on-chain capacity increase. Additionally, Extension Blocks brings some intriguing features to the bitcoin ecosystem, including smart contract technology. Plus, the proposal provides fungibility, a trait bitcoin has been lacking ever since its inception. However, all of these features are opt-in and will not be enforced upon all network users. Everyone can choose to make use of these new features or simply accept the malleability fix and block size increase.

Similarly to SegWit, Extension Blocks will be activated through a soft fork. It will also increase the block size immediately, just like Bitcoin Unlimited would do. Further block size increases can be accommodated through additional soft forks. More importantly, Extension Blocks provide a clear path for future innovations, including compatibility with the Lightning Network, MimbleWimble, and Rootstock. However, there are some drawbacks to this proposal, as can be seen in this lengthy post.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Read the rest here:
Bitcoin Unlimited vs Extension Blocks The Merkle - The Merkle

Read More..
Posted in Bitcoin | Leave a Comment

Top 5 Cryptocurrency Prediction Markets – The Merkle

April 9, 2017 | Author: admin

Prediction markets are quickly becoming one of the hottest commodities in the world of bitcoin and cryptocurrency. Giving everyone in the world the option to wager on any type of event is an intriguing concept. Moreover, it goes to show harnessing the wisdom of the crowd can potentially lead to more precise results. Below are some of the top cryptocurrency prediction markets to keep an eye on.

It is possible a lot of people have never come across the Bitbet platform before. Anyone looking into prediction markets will be somewhat familiar with the platform, as they offer anonymous betting and trading. Users can add their own events, ranging from politics to sports. All funds are stored in a cold wallet for added security. However, the platform looks a bit unprofessional, which may turn off some people.

When it comes to finding a convenient prediction market platform, BetMoose checks all of the right boxes. They even offer two-factor authentication, which is a positive development. Creating events takes a few seconds, and users can even earn a portion of revenue for creating an event. Mobile users may have a bit of a hard time navigating the site, though, although the developers are working on improvements.

It has to be said, Fairlay is perhaps one of the most comprehensive platforms when it comes to trading events. Signing up for an account and creating new events takes mere seconds, which is a positive sign. However, it appears Fairlay is not accessible by UK residents. Although the site layout is a bit basic, it looks better compared to BitBet. It is also worth noting Fairlay operates on a zero-fee structure.

Hivemind is one of the few open source peer-to-peer oracle protocols in the prediction market industry. The platform also allows for anonymous payments, which is quite appealing to specific users. For now, Hivemind is accessible on Windows and Linux, although mobile support is on the horizon. The only downside is how everyone who wants to partake in this prediction market needs to install and run the software client. Then again, not having a centralized front-end is a big bonus.

Hardly anyone will dispute the fact Augur is the market leader when it comes to cryptocurrency-based prediction markets. The million in funding raised during their token sale has certainly been put to good use. Augur uses the Ethereum blockchain, making them one of the very few prediction market platforms to do so.

Moreover, Augur ensures all of the funds are stored in smart contracts, which self-execute. Not having to trust a third party with funds is incredibly valuable. Augur is also open source, and features many different trading events. For the time being, Augur remains in beta, and it appears their mobile app may need a bit of tweaking moving forward. Other than that, Augur is by far the go-to platform for cryptocurrency-based prediction markets.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Visit link:
Top 5 Cryptocurrency Prediction Markets - The Merkle

Read More..
Posted in Cryptocurrency | Leave a Comment

Cryptocurrency Exchange Poloniex Suspends Services In Washington State – Live Bitcoin News

April 9, 2017 | Author: admin

Cryptocurrency exchanges are continually met with much harsher and stricter regulatory requirements than ever before. Poloniex, the worlds largest altcoin exchange, is forced to halt operations in the state of Washington. That is a rather surprising turn of events, yet it appears new regulation is forcing the companys hand.

According to the email sent out to all Poloniex users, the company is forced to halt operations due to regulatory concerns. It appears the Washington State Department of Financial Institutions regulation has forced Poloniex to suspend their business activities in the region until further notice. Every time such an announcement is made, it is unlikely services will be resumed anytime soon.

This means all Poloniex users in Washington will no longer be able to trade bitcoin and altcoins on the platform moving forward. Verified Washington residents have 14 days to close any open orders and make sure they withdraw funds from the exchange.It is important to note all accounts will continue to operate as normal during this period, yet it is advised to not store funds on the platform longer than needed.

Once the date of April 21st comes around all Washington-based Poloniex account will be suspended automatically. Users can still log in, yet it becomes impossible to place orders, deposit funds and withdraw money. In fact, using the platform will become useless, as all users can do is check charts and update their account information. Anyone who still has funds in their wallet by that time will need to open a support ticket to get the money out.

Unfortunately, it is not the first time cryptocurrency exchanges have to take drastic action due to horrible regulation. Poloniex is confident they will make a return to Washington state at a future date, although it is doubtful that will happen anytime soon. Poloniex is one of the handful of exchanges suspending their services in the state, and it is believed others may follow.

Header image courtesy of Shutterstock

About JP Buntinx

JP is a freelance copywriter and SEO writer who is passionate about various topics. The majority of his work focuses on Bitcoin, blockchain, and financial technology. He is contributing to major news sites all over the world, including NewsBTC, The Merkle, Samsung Insights, and TransferGo.

View all posts by JP Buntinx

See the rest here:
Cryptocurrency Exchange Poloniex Suspends Services In Washington State - Live Bitcoin News

Read More..
Posted in Cryptocurrency | Leave a Comment

Utilizing Cloud Computing for Stronger Healthcare Data Security – HealthITSecurity.com

April 9, 2017 | Author: admin

Source: Thinkstock

As healthcare providers continue to make the switch to digital records and implement EHR capabilities, being able to store information offsite is becoming more important. The digital data also likely needs to remain accessible from multiple locations, which further underlines the need for strong healthcare data security measures.

Cloud computing for healthcare is quickly evolving into a key area for covered entities, as providers are seeking out the best option to keep ePHI secure and not hinder daily operations.

Healthcare providers need to understand the potential cloud computing security concerns, but they should also be aware of the benefits this digital option can bring. Finding a secure solution that does not disrupt physician or staff member workflow and is not an impossible feat for covered entities is key.

Vice President of Commercial Operations & Chief Security Officer for IBM Watson Health Carl Kraenzel told HealthITSecurity.com that the implementation of cloud computing creates both challenges and surprise opportunities for healthcare organizations.

He explained that he has encountered many clients and partners who have struggled with the idea of the cloud, and worried that it might not be as secure or as compliant as they needed.

Ive found that originally there were a lot of people reluctant to get on the cloud for the unknowns associated with that, Kraenzel stated. Fast forward to where we are today, and the majority of businesses in healthcare and outside of healthcare are now familiar with the cloud.

Im seeing more of a tendency for people to look for clouds that they know have those capabilities already for them. Its difficult and challenging to add security capabilities and compliance capabilities within homegrown IT.

Healthcare organizations must also keep up with the changes, such as malware, other cybersecurity threats, and regulatory alterations in a global setting, he added.

Over the last 10 years roughly, there has been a radical change in how clients and partner chief security officers approach cloud vendors, Kraenzel said. Instead of being afraid of cloud, they now expect cloud to give them a better alternative than doing it on their own.

Foley Hoag attorney Colin Zickexplained to HealthITSecurity.com that cloud computing has been around for some time, and it is not a new notion for data to be stored on remote servers. The sooner that people stop thinking about the cloud as a new concept, the better off they will be.

By and large, particularly with the established providers of cloud services Microsoft, Google, Amazon they devote incredible resources to their services, Zick stated. They devote incredible resources to security for those services. Why? Because their reputation is based on it.

In contrast, physical records are difficult to track or replace if they are stolen, he noted. Organizations may not be sure if an unauthorized individual walked off with records or not, as there is no way to trace that.

The good news is that the cloud providers have gotten the message, and they now will sign HIPAA [business associate agreements].

When you think about that in a comparative sense, most anything electronic can be traced and it can be reproduced, Zick stressed. Even if it is improperly accessed. This is an enormous development above where things were.

Zick did recommend that as entities start to look into storing information remotely, they find a vendor that knows what it is doing.

Look at the services agreement, he urged. Understand exactly what the scope of the services are, whos responsible for what, whos indemnifying who, who has insurance, and what your rights to access are with data of backups, and what their rights are to access.

Zick added that the attitude of cloud service providers has also changed over the years, and they now have a greater understanding of what being a HIPAA business associate means.

The good news is that the cloud providers have gotten the message, and they now will sign HIPAA [business associate agreements], he explained. They may not negotiate their HIPAA BAA, but its progress. You can get the appropriate HIPAA BAA protection if you are a HIPAA-covered entity in terms of getting things in the cloud. But like anything, youve got to do your diligence.

Cloud computing can help healthcare organizations improve the strength of tried and true, repeated controls and technologies, noted Kraenzel.

There still is a knee-jerk tendency of people to hear cloud, think public cloud, and think their stuff will be mixed with that of other organizations, he explained. But increasingly, the understanding of multi-tenant, secure, encrypted clouds has created an awareness for all enterprises and healthcare and life sciences providers that there is great benefit of trust, repeatability, and auditability.

Kraenzel used an example of a tenth tenant in a cloud that already has HIPAA and GXP capabilities proven and supporting other production clients. As long as that organization can have that auditability and verifiably show that their data and their activity is kept separate from other tenants, then the cloud now is a better place than a home-grown deployment.

That entity can point at the repeatability and the shared advances in protective technologies that are going in for all the other tenants.

That rigor and robustness allows them to both inspect for the better capabilities that theyd like to see, but also have an assurance that these controls have been stretched, vetted, and tested by multiple other parties, Kraenzel stated.

The 21st Century type of security thinking has also evolved, he pointed out. Previously, the mindset was to go at? it alone. Now, there is a great awareness of the importance of cooperative technology and controls.

The reality is that as healthcare becomes more and more electronic, it's our job as industry leaders to help protect your and my data from being incorrectly used.

Dell Cloud Client-Computing Vice President and Chief Strategy OfficerJeffMcNaught told HealthITSecurity.com that HIPAA regulations tend to drive everything that healthcare does with patient data. Cyber criminals have also turned to medical records as a primary source for their activity, and certain doctors have even reported payments to insurance companies that never occurred.

What happens is the patient now has the record of these procedures being performed in the insurance records, McNaught explained. That affects the patient's medical history and now corrupts that patient's medical history in terms of the insurers and healthcare providers that they speak to after that. One way to prevent that is by better protecting the electronic medical records from attack.

An increasingly popular way to better protect that data is by positioning all that information in a virtual desktop infrastructure (VDI) server, McNaught stated.

It's supported by companies that you already know; Citrix and Microsoft and VMware, he said. Then we access those servers where all the software is running and all the data is stored with these Thin Client devices. The key to doing a great Thin Client is you want to make it really, really fast so that the experience that someone using one gets is identical to what they get with PC.

McNaught added that organizations need to ensure that this approach is secure. This can be done by relying on the storage and the processing power of the cloud and not having that sensitive data stored on the local device.

The reality is that as healthcare becomes more and more electronic, it's our job as industry leaders to help protect your and my data from being incorrectly used, said McNaught. It is our job to keep our customers in healthcare out of harm's way using terms of the regulatory requirements.

Source: Thinkstock

There are common cloud security concerns, for the healthcare and life sciences industry, as well as other sectors, Kraenzel noted.

Cloud or not, everyone is concerned about insider threats, phishing, and other vectors toward data breaches because of the increasing realization that the classic perimeter defense is highly insufficient, he stressed.

Citing the large-scale Yahoo data breach, Kraenzel explained that approximately 1 billion accounts being hacked likely caused worry across multiple industries.

I know that I, and other officers in the healthcare industry, are worried how many of those users are in healthcare or life sciences? How many use some variant of the same password or secret questions on their work accounts? he inquired.

With cybersecurity attacks such as phishing, or other credentialed breaches, Kraenzel pointed out that there is a great worry that the bad guys are already able to get into a network, or through the perimeter.

With that great worry, combined with general uncertainties about the scope of insider threats, people within the industry are looking for what can they do, he stated. People want to know what should they do in the worst case assumption that the bad guys are already through the door? How do you protect your assets and your clients data, patients data, in that worse case assumption?

Sidley Austin LLP Partner Anna Spencer pointed out potential HIPAA violation concerns that may arise with the use of cloud computing.

One of the most important things for providers to remember is that cloud providers are business associates, Spencer told HealthITSecurity.com.

There was a lot of confusion about the status of cloud computing companies and whether they qualified as business associates, particularly where the data was encrypted in what well call end-to-end, she stated. That means at no point did the cloud provider actually view the data.

OCR has also clarified that those entities are business associates, even if there is end-to-end encryption, Spencer noted, citing OCR guidance from 2016 on cloud computing.

It's clear from the [OCR] guidance that covered entities need to work with their business associate cloud service providers to work in a way that's going to promote the security of the information.

Healthcare organizations need to make sure that they are getting a business associate agreement with their cloud computing vendor, she added.

Collaboration between the covered entity and the cloud provider will also be key, Spencer explained. The two parties need to ensure ePHI is being secured properly and understand where the customer might control who has access to the data, or who can view it through an authentication requirement.

It's clear from the guidance that covered entities need to work with their business associate cloud service providers to work in a way that's going to promote the security of the information, Spencer stated.

She noted one aspect of the OCR guidance that covered entities should heed. If the cloud service provider recommends that the customer implement certain security features and the customer refuses, then the cloud service provider is not responsible for the compliance failures. The compliance failures are then solely attributable to the customer, Spencer pointed out.

If there is a breach or a compliance review, and they find these compliance failures, the implication is that they will take action against the covered entity and not the cloud service provider, Spencer said. This just puts an emphasis on working together to achieve compliance.

Kraenzel recommended that to ensure strong cloud security, organizations should focus on a few key areas. Going beyond the foundational basic tenants of protect, detect, and respond is essential.

Cognitive intelligence, which is what Watson Health utilizes, can help protect the inside of a perimeter. This is a key piece to protecting the inside of the cloud, he said.

Another piece of protecting it is to deploy a combo of encryption key management that is tied with a blast radius analysis, he suggested. By that I mean, you dont put all of your data underneath one encryption key.

Encrypting data should be a baseline measure, he added. However, using multiple encryption keys will help organizations keep their data more secure. That way if one key is compromised, not all of the data is compromised.

You have to have sophisticated, well-oiled key management linked to how your cloud is operated, Kraenzel said.

Decoy techniques can also aid organizations. Even if cyber criminals are able to penetrate a perimeter, they do not necessarily find what they are looking for. Layers of deception can divert an insider threat to the wrong content.

For healthcare and life science compliance, Kraenzel explained that there is a lot of evolution ahead that will be happening both in the US and globally.

If they stay stuck in an old compliance interpretation, they can fall behind competitively and they can fall behind on protecting themselves against new risk factors.

All participants involved in compliance the IT team, the security team, the compliance team, the vendor need to go back to a clear-eyed interpretation of the regulations that form the basis of a policy.

Policies are frequently formed at an institutional or corporate level, and formed by really good compliance people at a certain point in time, Kraenzel said. Then those policies are used as a checkmark list, by say the procurement team or other groups downstream.

While organizations do need to verify that they are compliant, there must be a living interpretation of that document, he stressed.

If they stay static too long, then a company will get stuck in an old interpretation of something, such as data locality, Kraenzel maintained. If they stay stuck in an old compliance interpretation, they can fall behind competitively and they can fall behind on protecting themselves against new risk factors.

Old compliance interpretation can also prevent an organization from adopting cloud for no good reason, Kraenzel added. That entitys competitors might be adopting the cloud, or the industry is, but that organization is lagging behind.

Lagging behind presents business and security risks, Kraenzel stated. Theres plenty thats changing and the compliance team needs to be part of leading the change. Excellent compliance teams get out there and are fighting for the new interpretation that still protects patients, company data, and governmental interests.

Here is the original post:
Utilizing Cloud Computing for Stronger Healthcare Data Security - HealthITSecurity.com

Read More..
Posted in Cloud Computing | Leave a Comment

How I made my own VPN server in 15 minutes – TechCrunch

April 9, 2017 | Author: admin

TechCrunch
How I made my own VPN server in 15 minutes
TechCrunch
While Algo VPN makes it easier to set up a VPN server on DigitalOcean, AWS, Microsoft Azure and Google Cloud, I also tried using it with Scaleway to see if you could use it on any hosting provider. And it worked perfectly fine on the smallest Ubuntu ...

See original here:
How I made my own VPN server in 15 minutes - TechCrunch

Read More..
Posted in Cloud Servers | Leave a Comment