News – Page 20 – DoGoodSoft's Official Blog

Key management is the biggest pain of encryption

Most IT professionals rate the pain of managing encryption keys as severe, according to a new global survey by the Ponemon Institute.

On a scale of 1 to 10, respondents said that the risk and cost associated with managing keys or certificates was 7 or above, and cited unclear ownership of keys as the main reason. “There’s a growing awareness of the security benefits of encryption really accrue from the keys,” said Richard Moulds, vice president of product strategy at Thales e-Security, the sponsor of this report. “The algorithms that encrypt the data are all the same — what makes it secure is the keys.”

MORE ON CSO: What is wrong with this picture? The NEW clean desk test

But as organizations use more encryption, they also end up with more keys, and more varieties of keys.

“In some companies, you might have millions of keys,” he said. “And every day, you generate more keys and they have to be managed and controlled. If the bad guy gets access to the keys, he gets access to the data. And if the keys get lost, you can’t access the data.”

Other factors that contributed to the pain were fragmented and isolated systems, lack of skilled staff, and inadequate management tools. And it’s hurting worse than before. “The proportion of people that rate it as higher levels of perceived pain is higher than last year,” said Moulds.

One reason that pain is increasing could be that encryption is becoming more ubiquitous, he said, embraced by industries and companies new to the challenges of managing keys and certificates.

According to the survey, which is now in its 10th year, the proportion of companies with no encryption strategy has declined from 38 percent in 2005 to 15 percent today. Meanwhile, the share of companies with an encryption strategy applied consistently across the entire enterprise has grown from 15 percent to 36 percent. The biggest growth last year was in healthcare and retail, two sectors hit by major public security breaches.

In the health and pharmaceutical industry, the share of companies with extensive use of encryption jumped from 31 to 40 percent. In retail, it rose from 21 to 26 percent. However, for the first time in the history of the survey, the proportion of the IT budget going to encryption has dropped. Between 2005 and 2013, it climbed steadily from 9.7 percent to 18.2 percent, but dropped to 15.7 percent in this year’s report.

The biggest driver for encryption was compliance, with 64 percent of respondents saying that they used encryption because of privacy or data security regulations or requirements.

Avoiding public disclosure after a data breach occurs was only cited as a driving factor by 9 percent of the respondents. Data residency, in which some countries allow protected data to leave national borders only if it’s encrypted, didn’t even make the list.

“It didn’t rank as high on the list of motivators as you would have thought,” said Moulds. “But data residency is an increasing driver, and I think it’s going to be a big driver in the future.”

DHS Chief Says Encryption Threatens National Security

Department of Homeland Security (DHS) secretary Jeh Johnson wants the government to work more closely with tech companies on security issues, but it also wants them to dial back their security encryption efforts. Johnson made his comments Tuesday in front of a packed house at the RSA conference in San Francisco, one of the world’s largest annual cybersecurity gatherings.

Johnson defended the Obama administration’s ongoing stance, maintaining that tougher encryption by tech firms imposed in the wake of the National Security Agency’s spying scandal will make it tougher to stop crime.

“The current course we are on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security,” he said. “Encryption is making it harder for your government to find criminal activity, and potential terrorist activity.”

President Barack Obama has spoken out in support of strong encryption, but has also advocated for a legal framework that gives government access to data. Officials at the FBI, DHS and the National Security Agency have been more direct about limiting encryption. They fear encryption has created situations that prevent government agencies from accessing digital data even when armed with warrants.

“Let me be clear,” Johnson said. “I understand the importance of what encryption brings to privacy. But, imagine the problems if, well after the advent of the telephone, the warrant authority of the government to investigate crime had extended only to the U.S. mail.”

Nightmare Scenario

We reached out to John Kindervag, vice president and principal analyst at Forrester Research Inc., who told us Johnson’s proposal was a “nightmare scenario.”

“In the digital age everyone is going to have to live with the reality that most data should be encrypted,” said Kindervag. “It is too dangerous to try to figure out ways to put back doors into systems that only governments can access. Shouldn’t we have learned something from the Snowden debacle?”

Justice Department officials warned Apple last fall that children will die if police aren’t able to get into suspects’ iPhones because of the company’s encryption. As Johnson told the RSA crowd, “Our inability to access encrypted information poses public safety challenges.”

The White House is preparing a report that will outline various options to ensure law enforcement can bypass encryption during criminal or national security investigations. That report is expected later this month.

“We in government know that a solution to this dilemma must take full account of the privacy rights and expectations of the American public, the state of the technology, and the cybersecurity of American businesses,” Johnson said.

An Old Story

Kindervag said similar tension has existed since the early days of the widely used e-mail encryption software Pretty Good Privacy, when co-founder Philip Zimmerman had to fight the government regarding encryption. That’s because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread worldwide. The government dropped its investigation into Zimmerman’s practices in 1996.

“The assumption of some governmental entities that they can gain omniscience through surveillance just doesn’t work anymore,” said Kindervag. “There is massive amounts of data that belong to private citizens that should not be read by other entities without the citizens’ direct permission.”

Google is Keeping the NSA Out of Your Data, Eric Schmidt Brags

Google (GOOGL) Chairman Eric Schmidt boasted on Wednesday about how improving the encryption of Google’s products has successfully shut out warrantless surveillance by the NSA and other law enforcement. Schmidt talked about the encryption advances, and how former NSA contractor Edward Snowden’s leaks prompted them, at BoxDev, a yearly developers conference for Box.

“When the Snowden revelations came out, we were very, very upset,” Schmidt told Aaron Levie, CEO of Box. “They never said anything to us. So we embarked upon a program to fully encrypt the information that our customers entrusted to us.”

Encryption makes it very difficult or impossible for information passed electronically to be deciphered, either by the NSA or even by the company doing the encryption. Snowden’s leaks showed how the NSA uses warrantless mass surveillance of metadata, which Schmidt argued went beyond proper use of the Patriot Act. He and other tech company leaders started boosting their encryption to keep the security agencies from being able to read any email or communication without a warrant. Now encryption is not just a Google project, and it appears to be working.

“Apple and others did the same,” Schmidt said. “And we know our program works, because all the people doing the snooping are complaining about it.”

He’s right about that. FBI Director James Comey told Congress that they should ban phone encryption because of how it helps criminals get away with their crimes. The surveillance is party of what the tech and Internet industry wants to see changed in the Patriot Act and why they are hoping it won’t be renewed in its present form.

U.S. Secretary Of Homeland Security Warns About The Dangers Of Pervasive Encryption

In a speech at cybersecurity conference RSA, U.S. Secretary of Homeland Security Jeh Johnson outlined the government’s discomfort with increasing implementation of encryption by technology companies, and what impact the shift might have on national security.

While tech firms like Apple are advancing encryption to an increasingly broad set of consumer activities, the government is concerned that it could increasingly be locked out from the communications, and the intentions, of threats to national security.

The issue of encryption, who should hold the controlling keys, and if American technology companies should be compelled to provide special access to consumer data to the United States government are issues as old as they are controversial. The common argument against any weakening of encryption is that there are no unexploitable weaknesses — if Google were to craft a back or front door for the U.S. government, it’s impossible to keep that same entryway free from other parties.

After asking for “indulgence” and “understanding,” the secretary said during his remarks that the “current course [the technology industry is on, toward deeper and deeper encryption in response to the demands of the marketplace, is one that presents real challenges for those in law enforcement and national security.”

In the secretary’s view, the nation’s “inability to access encrypted information poses public safety challenges.” Ignoring the mild irony behind that comment — why else would you choose to encrypt data? — the government employee continued: “In fact, encryption is making it harder for your government to find criminal activity and potential terrorist activity.”

Johnson concluded with a colorful description of privacy and freedom, calling them “the things that constitute our greatest homeland security.”

His remarks were very similar to President Barack Obama’s in an interview earlier this year with Re/code’s Kara Swisher. The president said that while he was more in favor of encryption than most in law enforcement, he also recognized the problems it posed for those agencies. Both Obama and Johnson spoke about the importance of privacy when facing tech-oriented audiences, but failed to take a strong stance in its defense.

The Homeland Security secretary weighs in on this issue as White House aides are investigating encryption and preparing to report back to the president this month. In a recent speech at Princeton University,NSA chief Michael Rogers argued law enforcement should have front door access with multiple locks. He argued government abuse of this access could be avoided by splitting multiple keys among separate agencies.

But Jeff Williams, the CTO of Contrast Security, tells TechCrunch that such an approach is impossible. He argued that it would be impossible for the government to create technology that would allow it front door access to all communications devices and splitting such a tool among agencies would be inefficient and ineffective. He also said a split key could still be thwarted by super-encryption.

“Frankly the cat is out of the bag on secure encryption,” Williams said.

Even with the upcoming report to the president, it is unlikely Obama will take any measurable stand for Americans’ privacy rights. The private sector and law enforcement have volleyed back and forth on this issue for decades, now reigniting the exact same debate we saw in the early 1990s over the Clipper Chip. We’ve seen the White House take very little action on limiting the scope of the American intelligence apparatus, even in the wake of high-profile leaks from Edward Snowden.

Why would it start now?

The private sector has to keep improving encryption, as customers — particularly those outside the United States — worry about surveillance. But as these companies work to keep threats out of these devices, we can be certain that our law enforcement agencies are working just as fast to break into them.

With little public scrutiny over this technical issue, politicians have little incentive to stand up for privacy. Even with high-profile remarks such as those from Johnson today, it’s likely we’ll continue to see more of the status quo.

Google and Yahoo Encrypting Ad Network Connections

Google and Yahoo in separate announcements said they will individually encrypt ad network connections to reduce bot traffic and other types of ad fraud. The news coincides with the release of Malwarebytes Labs findings last week. Researchers found malvertising in Flash ads involving the DoubleClick ad network.

The two companies have support. The Interactive Advertising Bureau (IAB) continues to push the adoption of HTTPS ads and support encryption. In March, the IAB put out a call for the industry to adopt encryption. The industry trade group said many ad systems support HTTPS, but a member survey suggests that only 80% support the protocol. They called on the entire advertising supply chain to adopt practices, from ad servers and beacons to data partners and brand safety and verification tools.

Google said the majority of mobile, video, and desktop display ads on its Google Display Network, AdMob, and DoubleClick networks will become encrypted by June 30. Search on google.com is encrypted for a vast majority of users and the copany continues to work toward encrypting search ads across its systems.

YouTube ads have been encrypted since the end of last year, along with all searches, Gmail, and Drive. By the end of June, advertisers using AdWords and DoubleClick will serve HTTPS-encrypted display ads to all HTTPS-enabled inventory.

Yahoo VP of Revenue Management and Ad Policy James Deaker describes in a blog post what he calls “perhaps the largest-ever transition to SSL encryption for any publisher with display ads.” Yahoo recently implemented an end-to-end encryption extension for Yahoo Mail,” and strengthening security everywhere else along the advertising supply chain will help to create a safer Internet.

Next week, Yahoo will host a Trust UnConference in San Francisco, bringing together industry experts to discuss how to build safe products.

Encryption Uncoded: A Consumers’s Guide

Concerned by reports of hacking, data breaches and government spying, companies and consumers are looking for better ways to protect their data. Many are turning to encryption, a method of encoding messages that goes back millennia. Encryption is commonly used to secure online banking sessions and to protect credit-card data. But for the average computer user, it remains a mystery.

Here’s a brief guide to help readers unlock its secrets.

How does encryption work?

If you saw the recent movie “The Imitation Game,” you’ve seen a rudimentary, by modern standards, form of encryption. During World War II, the Germans used a machine to turn military messages into coded strings of symbols. These days, computers running complex mathematical formulas can do the same thing much faster, and the codes are much harder to crack.

What’s it used for?

If you’ve ever done banking online, you may have noticed a “lock” icon in the address bar, or that the bar turned green. That means the browser session is encrypted by your bank.

Consumers can download a growing crop of encryption tools for texting, browsing sessions and video and phone calls. Users usually must download an app or install software that scrambles messages as they are sent. (The recipient needs to be using the same app or software to unscramble the message.)

Apple has started encrypting personal data on its latest mobile operating system, iOS 8. This means an outsider who hacks into a device or into Apple’s servers would see a string of unreadable characters instead of actual messages or FaceTime videos.

Can I encrypt email messages?

Yes, but it’s tricky. Sender and receiver must use the same type of encryption. If you have encryption switched on, but the friend you’re emailing doesn’t have it, he or she won’t be able to read your message.

Since the revelations of former National Security Agency contractor Edward Snowden about electronic eavesdropping by the NSA, big tech companies have made moves to add encryption. Yahoo Inc. and Google Inc. both have announced plans to begin encrypting emails of users of their services, but the projects are moving slowly.

Can encryption really protect me from getting hacked?
Maybe. If a hacker obtains the encryption keys, or the formula that unlocks the code, all that encrypting was for naught. And that happens all the time in corporate data breaches, says Avivah Litan, a vice president and senior analyst focusing on security issues at market-research firm Gartner Inc. For example, as part of the 2007 breach at TJX Cos., hackers stole a TJX point-of-sale card-reader system and brought it home. The hackers were able to break the code used to encrypt card transactions and stole data from tens of millions of customer accounts.

How can I get started?

In addition to Apple’s built-in encryption in its new mobile devices, Android users can download WhatsApp, which encrypts text messages. WhatsApp, a company owned by Facebook Inc., says it is working on offering encryption for all communication sent between WhatsApp users, including images, audio and text.

A number of vendors—including Voltage Security Inc., Protegrity and RSA Security, a unit of Corp.—offer encryption of corporate data, including email and credit-card records. Silent Circle’s Blackphone is a phone for corporate users that can send encrypted voice calls, text, emails and other data—if both parties are using a Blackphone.

Why isn’t everything encrypted?

There are plenty of reasons. Encryption is time-consuming and difficult to implement. It’s hard to properly manage who has access to encryption keys, and it slows system performance.

Online Extortionists Are Using Encryption as a Ransom Weapon

Most of the time we discuss encryption as a way to protect ourselves online , but an increasingly popular form of digital attack uses it as an extortion tool. Criminals are stealing personal files, encrypting them, and hold them hostage until their targets pay for the decryption key.

A report from security firm Symantec details a sharp rise “crypto-ransomware,” its term for this devious form of online crime, noting that these incidents were 45 times more common in 2014 than 2013, with over 340,000 people and organization unable to access files that had been encrypted by extortionists. Usually the extortionists ask their targets to pay in Bitcoin on a website accessible by Tor.

To infect computers, would-be criminals will send malicious e-mail attachments that look like bills or invoices. If you are foolish enough to open the attachment, you’re snared. It’s possible we’re seeing a rise in crypto-ransomware attacks because phishing emails where you’re tricked into opening a malware attachment or bad link are a major way that people get hacked .

There’s a growing underground economy devoted to carrying out crypto-ransomware attacks, with groups like Cryptolocker and Cryptowall selling their services. Your main line of defense is backing up all your files, since you won’t need to pay to get them back if you can just restore them. There are also services popping up to thwart crypto-ransomware, like Decryptolocker, which used a version of Cryptolocker to figure out how to decrypt files that Cryptolocker holds hostage. A service called Cryptoprevent is designed to stop this type of ransomware from a variety of different attackers.

Ransomware is still a relatively rare and aggressive cybercrime, so the likelihood of someone crypto-ransoming your vacation photos is low. No need to panic. Much more common: Phishing attacks of all kinds. A security report released by Verizon today underlines how often people fall for them. With phishing attacks, prevention is even simpler than backing up your files: Just don’t click on sketchy shit!

The NSA wants a multi-part encryption key for “front door” access to your data

The US National Security Agency (NSA) appears to be increasingly concerned about the growing adoption of encryption and its ability to thwart the agency’s surveillance efforts.

Now, after months of debate with tech firms about government access to encrypted data on smartphones and other devices, the NSA has proposed a solution which it hopes will strike a balance between its desire to know everything about everyone and the average law-abiding citizen’s right to privacy.

According to The Washington Post, that solution – put forward by NSA director Michael S. Rogers – lies in a multi-part encryption key, created by various tech companies, which could unlock any device.

Speaking at Princeton University recently, Rogers said the key could be broken into several parts, meaning no one agency or company would be able to use it without the co-operation of the others:

I don't want a back door. I want a front door. And I want the front door to have multiple locks. Big locks.

With the highly contentious Section 215 of the Patriot Act – legislation that has allowed mass eavesdropping from the security services – due to sunset on 1 June 2015, privacy rights groups and concerned members of the public have long been voicing their concerns about bulk data collection.

Add to that the fact that firms such as Apple, Google and Microsoft recently sent a letter to President Barack Obama which demanded an end to data collection, and you can probably see why the NSA is exploring more palatable alternatives.

The debate about encryption and government access comes about as tech companies continue to make customer privacy a key selling point for their products and services.

Companies like Apple – which recently took the decision to enable device encryption by default and made key promises to its customers concerning their privacy – are giving the NSA a real headache as the agency argues the need for government access to data to aid in the battle against crime and terrorism.

Edward Snowden, for his part, continues to lament the level of access the US government still has. At a ecret meeting at this year’s South by Southwest festival he urged tech companies to foil surveillance efforts through the development of better privacy tools.

But Rogers firmly believes that his proposal for a ‘front door’ is both sound and justified, allowing for access as and when required, while keeping data safe from would-be hackers and other forms of attack.

Of course, his view is not universally shared – Donna Dodson, chief cybersecurity adviser at the Commerce Department’s National Institute of Standards and Technologies pointed out that a master key still presents a risk, even if it is broken into parts held by different parties:

The basic question is, is it possible to design a completely secure system? There’s no way to do this where you don’t have unintentional vulnerabilities.

Privacy advocates and industry officials alike are not convinced by Rogers’ proposal either. Marc Zwillinger, a former Justice Department official now working as an attorney for tech companies on encryption-related matters, told the Post that law enforcement should not have the undeniable right to access every means of communication between two parties. He added:

I don’t think our Founding Fathers would think so, either.

The fact that the Constitution offers a process for obtaining a search warrant where there is probable cause is not support for the notion that it should be illegal to make an unbreakable lock. These are two distinct concepts.

Another Reason For Ubiquitous Web Encryption: To Neuter China’s “Great Cannon”

China’s web censorship machine, the Great Firewall, has a more offensive brother, researchers have declared today. Called the Great Cannon by Citizen Lab, a research body based at the University of Toronto, it can intercept traffic and manipulate it to do evil things.

In recent distributed denial of service (DDoS) attacks on code repository Github, the Great Cannon was used to redirect traffic intended for Baidu , the equivalent of Google in China, to hit two pages on the target site, including one that provided links to the Chinese-language edition of the New York Times. GreatFire.org, a website dedicated to highlighting Chinese censorship, was hit by a similar attack.

The Great Cannon only intercepts traffic to or from a specific set of targeted addresses, unlike the Great Firewall, which actively examines all traffic on tapped wires going in and out of China. According to Citizen Lab, in the recent DDoS hits, it intercepted traffic going to Baidu, and when it saw a request for certain JavaScript files on a Baidu server, it appeared to either pass the request on “unmolested”, as it did for 98 per cent of connections, or it dropped the request before it reached Baidu and sent a malicious script back to the requesting user, as it did nearly 2 per cent of the time. That malicious script would fire off traffic to the victims’ servers. With so many users redirected to the targets, the internet pipes feeding Github and GreatFire.org were clogged up, taking them offline. It was an effective, if blunderbuss, approach to censoring the targets.

But, as the researchers noted, the Great Cannon could be abused to intercept traffic and insert malware to infect anyone visiting non-encrypted sites within the reach of the attack tool. That could be done, said Citizen Lab, by simply telling the system to manipulate traffic from specific targets, say, all communications coming from Washington DC, rather than going to certain sites, as in the abuse of Baidu visitors. “Since the Great Cannon operates as a full man-in-the-middle, it would also be straightforward to have it intercept unencrypted email to or from a target IP address and undetectably replace any legitimate attachments with malicious payloads, manipulating email sent from China to outside destinations,” Citizen Lab added in its report released today.

The Great Cannon is not too dissimilar to QUANTUM, a system used by the National Security Agency and the UK’s GCHQ, according to the Edward Snowden leaks. So-called lawful intercept providers, FinFisher and Hacking Team, sell products that appear to do the same too, Citizen Lab noted.

But there’s one simple way to stop the Great Cannon and the NSA from infecting masses of users: encrypt all websites on the internet. The system would not be able to tamper with traffic that is effectively encrypted. The SSL/TLS protocols (which most users commonly use when on HTTPS websites rather than HTTP) drop connections when a “man-in-the-middle” like the Cannon is detected, whilst preventing anyone from peeking at the content of web communications.

There are some significant projects underway designed to bring about ubiquitous web encryption. Just this week, the Linux Foundation announced it would be hosting the Let’s Encrypt project, which seeks to make SSL certificates, which website owners have to own and integrate into their servers to provide HTTPS services, free and easy to acquire. It should be possible to grab these simple and (hopefully) secure certificates from mid-2015, though Josh Aas, executive director at the the Internet Security Research Group (ISRG), which runs Let’s Encrypt, would not say when exactly. It has some serious backers, including Akamai, Cisco, Electronic Frontier Foundation and Mozilla.

It’s unclear whether Let’s Encrypt would provide certificates to Chinese sites. “The default stance is that we want to issue to everyone – but we will have to comply with US laws… our legal team is looking into it.”

“There’s a lot of the web that isn’t encrypted,” added Jim Zemlin, executive director at The Linux Foundation. “We think that’s a big deal for internet security.”

Europol chief warns on computer encryption

A European police chief says the sophisticated online communications are the biggest problem for security agencies tackling terrorism. Hidden areas of the internet and encrypted communications make it harder to monitor terror suspects, warns Europol’s Rob Wainwright. “Tech firms should consider the impact sophisticated encryption software has on law enforcement”, he said.

A spokesman for TechUK, the UK’s technology trade association, said: “With the right resources and cooperation between the security agencies and technology companies, alongside a clear legal framework for that cooperation, we can ensure both national security and economic security are upheld.”

Mr Wainwright said that in most current investigations the use of encrypted communications was found to be central to the way terrorists operated. “It’s become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism,” he explained. “It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore.”

Mr Wainwright, whose organisation supports police forces in Europe, said terrorists were exploiting the “dark net”, where users can go online anonymously, away from the gaze of police and security services.

Secret messaging

But he is also concerned at moves by companies such as Apple to allow customers to encrypt data on their smartphones, and the development of heavily encrypted instant messaging apps is another cause for concern, he said.

This meant people could send text and voice messages which police found very difficult or impossible to access, he said.

“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet.[Tech firms] are doing it, I suppose, because of a commercial imperative driven by what they perceive to be consumer demand for greater privacy of their communications.”

Surveillance

Mr Wainwright acknowledged this was a result of the revelations by former National Security Agency contractor Edward Snowden, who exposed how security services were conducting widespread surveillance of emails and messages.

He said security agencies now had to work to rebuild trust between technology firms and the authorities.

The TechUK spokesman told the programme: “From huge volumes of financial transactions to personal details held on devices, the security of digital communications fundamentally underpins the UK economy.

“Encryption is an essential component of the modern world and ensures the UK retains its position as one of the world’s leading economies. “Tech companies take their security responsibilities incredibly seriously, and in the ongoing course of counter-terrorism and other investigations engage with law enforcement and security agencies.”

The programme also found evidence that supporters of the Islamic State (IS) are using encrypted sites to radicalise or groom new recruits.

On one blogging website, a 17-year-old girl who wants to become a “jihadi bride” is told that if she needs to speak securely she should use an encrypted messaging app. The family of 15-year-old Yusra Hussein from Bristol, who went to Syria last year, also believe she was groomed in this way.

Twitter terrorism

The extent of the challenge faced by security services is shown in the scale of social media use by IS.

Mr Wainwright revealed that IS is believed to have up to 50,000 different Twitter accounts tweeting up to 100,000 messages a day. Europol is now setting up a European Internet Referral Unit to identify and remove sites being used by terrorist organisations.

Mr Wainwright also says current laws are “deficient” and should be reviewed to ensure security agencies are able to monitor all areas of the online world. “There is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat. We have to make sure we reach the right balance by ensuring the fundamental principles of privacy are upheld so there’s a lot of work for legislators and tech firms to do.”