69 Twitter Facebook Email

The measure was inserted into a defense appropriations bill and approved on a voice vote.

The measure was inserted into a defense appropriations bill and approved on a voice vote.

by Justin Elliott ProPublica, June 20, 2014, 12:17 p.m.

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Enable Social Reading

An amendment designed to bar the National Security Agency from undermining encryption standards was approved by the House last night.

The move follows reporting last year by ProPublica, the Guardian, and the New York Times on the NSA's efforts to weaken encryption, including by influencing the development of standards by the National Institute of Standards and Technology. The stories were based on documents provided by Edward Snowden.

The amendment, sponsored by Rep. Alan Grayson (D-Fla.) and similar to one he advanced last month, bars the NSA from using appropriation funds to consult with NIST in a way that undermines security standards.

It still has a way to go before becoming law: While the House is expected today to approve the full appropriations bill that the amendment is a part of, the Senate would have to pass the same text, and ultimately President Obama would have to approve.

Excerpt from:
House Adopts Amendment to Bar NSA From Meddling With Encryption Standards

Introduction

Encryption brings data into a state that cannot be interpreted by anyone who does not have access to the decryption key, password, or certificates. Though encryption does not restrict the access to the data, it ensures in case of data loss, then that data is useless for the person that does not have access to the decryption keypasswordcertificates. When you use encryption, there should be a maintenance strategy for passwords, keys, and certificates.

To meet the demands of regulatory compliance and corporate data security standards, SQL Server allows you to enable encryption at the columncell level or on the entire database level. You can even use file level encryption, provided by Windows for database files.

In my last article, Transparent Data Encryption (TDE) in SQL Server I talked about enabling encryption at the entire database level and in this article I am going to further discuss and demonstrate a more granular level or each individual cell level encryption in detail and how it differs from Transparent Data Encryption (TDE).

Transparent Data Encryption is applicable at the entire database level unlike granular or cell level encryption, which applies to a specific column of a table.

Transparent Data Encryption encrypts data in pages before it is written to the disk and decrypts when reading from disk at the I/O level. This means, data in the buffer pool remains there in clear text format whereas in the case of granular or cell level encryption you have more granular control data is encrypted when you use the EncryptByKey inbuilt function while writing and decrypts the data only when you use the DecryptByKey inbuilt function so that even if a page is loaded into memory, sensitive data is not in clear text. This means unlike Transparent Data Encryption in which the data in the buffer pool remains in clear text format, with cell level encryption even in the buffer pool data remains encrypted.

Transparent Data Encryption, as its name implies, is completely transparent to your application. This means literally no application code changes (only an administrative change to enable it for a database) are required and hence there is no impact on the application codefunctionalities when enabling TDE on a database being referenced by that application whereas in the case of Granular or Cell level encryption a code change is required. In the case of Granular or Cell level encryption, first you need to change the data type to VARBINARY data type from their original data type (re-cast it back to the appropriate data type when read) and then you need to manually use inbuilt functions to encrypt or decrypt the data.

Transparent Data Encryption performs the encryption in bulk at the entire database level whereas in the case of Granular or Cell-level encryption the performance impact will vary based on the number of columns you are encrypting or the amount of datarows each column contains, i.e. the more columns you encrypt the more overhead and performance penalties you will have.

Granular level encryption has higher performance penalties and administration costs as the encryption is always salted so the same data will have a different value after encryption. As a result, foreign key constraints and primary key constraints do not provide any benefit on these encrypted columns. Query optimization also gets impacted as indexes on these encrypted columns offer no benefits and as a result range and equality searches turn into full table scans whereas with TDE your query can fully utilize indexes and avoid table scans.

Transparent Data Encryption was introduced in SQL Server 2008 and available in later versions for bulk encryption at the database file level whereas Granular or cell-level encryption was introduced in Microsoft SQL Server 2005 and available in later versions for encrypted data at column level.

Read more from the original source:
Granular or Cell Level Encryption in SQL Server

TrueCrypt remains the only option for securely importing and exporting data to and from the Amazon Simple Storage Service (S3) two weeks after the popular encryption software was abruptly discontinued by its creators, supposedly for security reasons.

According to Amazon Web Services (AWS) online documentation, TrueCrypt is the only device encryption supported by AWS Import/Export. On a separate page about AWS security, Amazon says that: AWS only ships devices out of AWS facilities if the device is completely erased or the device only contains data encrypted by AWS. For import jobs, we erase devices after job completion. For export jobs, we will always encrypt the data being exported onto the device. We use TrueCrypt software for encryption.

The authors of TrueCrypt, whose identities remain unknown, ended the project on May 28 with a sudden message warning users that using TrueCrypt is not secure as it may contain unfixed security issues. The projects homepage advised users to switch to encryption technologies integrated directly into modern operating systems like BitLocker Drive Encryption in recent versions of Windows or FileVault in Mac OS X.

TrueCrypt version 7.2, which can only be used to decrypt data, was released at the same time as the announcement about the end of the project, and all previous versions that included encryption functionality were removed from the projects repository.

The authenticity of the announcement has been questioned by some users and several possibilities were advanced, including that it was fake and posted by hackers or that the authors were identified by a government and forced to shut the project down.

The Open Crypto Audit Project (OCAP), a community initiative that was in the process of analyzing the security of TrueCrypt when its development was discontinued, set up a repository this week with verified builds and source code for TrueCrypt 7.1a, the last version of the software to include encryption.

OCAP plans to complete its TrueCrypt audit, which is now in phase two and involves analyzing the softwares cryptographic functions. The first phase, which involved searching for vulnerabilities in the programs critical components like its Windows kernel code, the bootloader and the filesystem driver was completed in April with no critical issues being identified.

Amazon.com did not immediately respond to an inquiry seeking information on whether it plans to support other data encryption technologies for the AWS import/export feature aside from TrueCrypt in the future.

Lucian Constantin writes about information security, privacy and data protection. More by Lucian Constantin

More here:
Amazon AWS continues to use TrueCrypt despite project's demise

A new report shows that Al Qaeda and associate firms are using new encryption software in a bid to defy US intelligence tracking.

The report from an intelligence firm called Recorded Future states that since 2007, Al-Qaeda's use of encryption technology has been based on the Mujahideen Secrets platform which has developed to include support for mobile, instant messaging, and Macs.

Following the June 2013 Edward Snowden leaks about the National Security Agency's intelligence programme, the study also reveals an increased pace of innovation, specifically on new competing jihadist platforms and three major new encryption tools from three different organizations - GIMF, Al-Fajr Technical Committee, and ISIS - within a three to five-month time frame of the leaks.

Al-Qaeda (AQ) has been using encryption technology in various forms for a long time. The original Mujahideen Secrets is the most common one, but recently there have been multiple new encryption products as well as adaptations to new platforms like mobile, instant messaging, and Mac.

"The nature of these new crypto products indicates strategy to overlay stronger and broader encryption on Western (mainly US) consumer communication services. We do not find evidence of abandonment of US-based consumer communication services. Likely risks are still greater to hide outside the consumer crowd, and non-US-based services may be exposed to even stronger lawful intercept," stated the study

The Recorded Future timeline also laid out key developments from 2007 to date and according to them, the original Mujahideen Secrets (Asrar al-Mujahideen) encryption software launched in 2007 was primarily for use with email. Asrar has had multiple releases over time and is distributed by the Global Islamic Media Front (GIMF).

The second crypto Development was Asrar al-Dardashah, released by GIMF in February 2013, which is an encryption plugin for instant messaging based on the Pidgin platform - which connects to major US-based platforms. Later on, GIMF released Tashfeer al-Jawwal in September 2013 based on Symbian and Android and is a mobile encryption program.

Asrar al-Ghurabaa is yet another alternative encryption program, however importantly, released in November 2013 by Islamic State Of Iraq And Al-Sham (ISIS), which coincides with ISIS breaking off from main AQ after a power struggle and Amn al-Mujahid is an alternative encryption program released in December 2013. In this case from Al-Fajr Technical Committee (FTC) which is also a mainstream AQ outfit.

Visit link:
Kenya: Al Qaeda Using New Encryption Software to Defy U.S. Intelligence Tracking