Developers of the popular Enigmail email security extension for Thunderbird have fixed several issues that could have exposed messages users believed to be encrypted.

Enigmail provides a graphical user interface in the Mozilla Thunderbird and SeaMonkey programs that allows users to digitally sign and encrypt email messages using the OpenPGP standard.

The Enigmail Project released version 1.7.2 of the extension on Aug. 29 and briefly noted that the release fixes several important bugs. The changelog did not contain additional details about the impact of the fixed issues, but included a link to the projects external bug tracker.

In addition to several non-security issues, the bug tracker lists a number of addressed bugs that could have serious security implications for users of the older Enigmail 1.7 version. One of them causes emails to be sent in unencrypted form when only BCC (blind carbon copy) recipients are specified.

Another issue causes drafts to be saved in plain text when writing a new email even when the email is marked for encryption automatically. If the IMAP protocol is used, the unencrypted drafts can be synchronized with the email server, exposing potentially sensitive information.

This behavior only happens when the system selects an email for encryption automatically based on an existing per-recipient rule or when the recipients public key exists in the local key store. If the email is manually marked to be encrypted (e.g. by clicking the yellow key symbol on the bottom-right) the drafts are correctly encrypted before being sent to the IMAP server, the bug entry notes.

Another bug can cause an incorrect encryption or signing status message to be displayed when composing a reply. This especially happens if the compose window is not opened for the first time, another entry on the bug tracker notes.

A fourth issue that has been addressed can cause an upgrade from Enigmail 1.6 to 1.7 to break encryption. Email messages wont be encrypted if the per recipient setting is disabled under Key Selection, despite other key selection mechanisms like by email and manual if missing being enabled.

When confirmation dialog is enabled you can even see that Enigmail wants to send an email unsigned/unencrypted despite having selected forced encryption, the corresponding bug entry says. Otherwise it is silently sent unencrypted.

An Enigmail user who reported one of the encryption failures in version 1.7 on the projects support forum described the situation as the biggest imaginable catastrophe.

See original here:
Encryption failures fixed in popular PGP email security tool Enigmail

Porticor Adds Software-Defined Encryption Key Management to nScaled's Leading IT BCDR Platform for Complete Protection of Replicated Data in the Cloud

CAMPBELL, Calif., and SAN FRANCISCO Porticor and nScaled today announced the industry's first joint solution integrating software-defined homomorphic encryption key management to protect customers' cloud information and applications replicated for IT Business Continuity and Disaster Recovery (BCDR).

Porticor is a leading cloud data security company delivering the only cloud-based key management and data encryption solution that infuses trust into the cloud and keeps cloud data confidential. nScaled is a provider of automated, integrated IT Business Continuity and Disaster Recovery (BCDR) solutions.

nScaled's Disaster Recovery as a Service (DRaaS) platform replicates data, servers, operating systems and applications to protect and deliver critical IT services to users in case of a man-made or natural disaster, equipment failure or data loss. nScaled's DRaaS hybrid cloud solution ensures that replicas are up to date at all times, including both the data and the "virtual machine images" of the code that runs the applications. Forrester Research, Inc., named nScaled a Leader in The Forrester Wave: Disaster-Recovery-As-A-Service Providers, Q1 2014.

Porticor adds key management and encryption to nScaled's solution. Integrated into nScaled's physical and virtual appliance, Porticor encrypts the data store of each application backed up by nScaled's solution seamlessly and transparently. Porticor is also implemented on nScaled's cloud, ensuring that any data replicated to the nScaled cloud is also encrypted. The result is multifaceted, data-at-rest and in-transmission encryption solution that protects information at the customer's data center and in the cloud.

"We are in the insurance business so clients share personal and account information about their employees with us," said Aatash Patel, IT Director at Covala Group, a leading enroller and administrator of voluntary, supplemental individual disability benefits for large employers. "With nScaled in place serving our disaster recovery needs, we needed a private cloud data encryption solution that was high performing and compatible with our VMware environment. Porticor has been our answer to protect clients' confidential information, and help us meet their compliance requirements. We spun up Porticor with nScaled in our cloud without any technical training, and support has been very helpful at both companies. I am very happy with what both vendors are doing together so far."

For a white paper on the partnership and joint solution now available, see http://www.porticor.com/porticor-nscaled-secure-dr/.

"Business continuity and disaster recovery have been one of the most successful services offered through the cloud model, and nScaled delivers the industry's leading automated and integrated solution," said Mark Jameson, VP of Worldwide Sales and Product Strategy at nScaled. "Together with Porticor we are providing the most secure and reliable Disaster Recovery as a Service (DRaaS) to protect customer's data and applications."

"Cloud providers, including providers delivering DRaaS, offer a shared responsibility' model for the security and protection of customer applications and data," said Gilad Parann-Nissany, Porticor founder and CEO. "Now that we have teamed with nScaled, customers can be assured that their applications and information will be available and safe from loss due to disasters and cloud data security threats."

Cloud data encryption provides an effective layer of protection against new cloud security challenges, including internal cloud data center threats, information protection in a shared environment, and compliance requirements which mandate information to be secured both on premises and in the cloud. The challenge created is not in encrypting the data, but with managing the encryption keys. To provide secure cloud management of encryption keys for outsourced data center services to the nScaled cloud, Porticor uses a highly sophisticated and patented approach split key encryption and homomorphic key management.

Continue reading here:
Porticor and nScaled Deliver Secure and Compliant Business Continuity and Disaster Recovery ...

Significant money is at stake and in need of protection in the Payment Card Industry (PCI). The global payment card industry covers several sectors: banks and financial institutions (acquirers), issuers, processors, service providers, merchants carrying out transactions online and via point of sale terminals in bricks and mortar stores, large and small.

PCI SecurityThe PCI Security Organizations Data Security Standard (DSS) applies to your business if you store, process or transmit cardholder data (CHD). The PCI supply chain is not an isolated entity. It needs to protect itself well beyond its own

perimeter fences. This is because business entities also need to protect the billions of people every day that key in their Personal Identity Numbers (PINs) and other personal data as they trade or carry out transactions in store or over the Internet, from fixed and mobile devices using payment cards. Increasingly, commerce takes place via mobile devices over wireless networks, with the card itself rarely being physically present at the store.

As credit and debit cards are used more and more, checks are disappearing in many economies. In a mobile, electronic, global world, the payment card industry continues to grow. In May 2014, for example, 47.1 billion was spent in the United Kingdom on cards of all types (credit and debit), a 7.5% annual growth in spending rates over May 2013, at a time where the countrys economy is a long way from recovery.

Its not surprising therefore that the payment card industry attracts people of malicious intent.

PCI-DSS Encryption RequirementsIn this reality, if your business occupies any of the nodes in the payment card supply chain, you must comply with the 12 core requirements of PCI-DSS to keep perpetrators of payment card fraud at bay. You will need to ensure you have the same levels of protection, and thus of PCI-DSS compliance, in the cloud and in your data centers. In addition, you must make sure that all third-party service providers you use are fully PCI-compliant.

Several of the 12 PCI-DSS requirements are relevant for cloud security. However, on this occasion, well single out those sections of requirement number 3, which relate specifically to the protection of stored cardholder data. As youll see below, you can comply with these requirements by using Porticors data encryption and cloud key management system.

PCI-DSS Encryption: Requirement 3Requirement 3.4, for example, states that you must make sure that Primary Account Numbers (PANs) are unreadable, wherever they are stored. Our solution ensures your compliance here thanks to strong hashing (SHA-2) and AES-256 encryption, augmented by robust encryption key management.

You must not tie decryption keys to user accounts, regardless of whether you encrypt at the disk, file- or column-level of the database, nor must you allow access to the cryptographic key by native operating systems. Your compliance is assured on both points with Porticors key management algorithm, which by default splits the key. This keeps it independent of the OS, as well as administrators and service providers in your supply chain. In other words, access is limited to very few custodians and, always acting together, rather than any one on their own, ensures your compliance with requirements 3.5.1 and 3.5.2.

Continued here:
@CloudExpo | PCI-DSS Encryption Requirements