Windows Central

Beginner's guide to Windows 10 encryption Windows Central Encrypting a drive or a folder or a file generally means you have a single password that must be used in order to decrypt and access. Not only does this stop outside parties from hacking their way into your files, it also protects in the event that you ...

Read the original here:
Beginner's guide to Windows 10 encryption - Windows Central

Please enable Javascript to watch this video

LANCASTER, Pa. -- Lancaster County EMS officials fear they need to be concerned for their own safety. That's after county commissioners decided to encrypt police radio calls.

As soon as November, when the public, media or emergency responders listen to a police scanner or radio in Lancaster County, they may hear muddled voices.

EMS officials are now asking county commissioners to exempt them from police radio encryption, but they are in support of encryption so the public and the media can't hear all the calls.

Darrell Fisher, the president of the Lancaster County EMS Council said, "What we feel is that EMS should not be put into the same umbrella as the public. We're out on the streets, we're on the forefront with the police department. Any large situation or any violent scene that requires an ambulance, we're there with them."

Lancaster Police Chief Keith Sadler said even though the radios for EMS would be encrypted, those emergency responders would still get updates from dispatchers.

Sadler said, "Our radio dispatch, the county dispatch in Lancaster County allows us to communicate with them and vice versa. So they don't necessarily have to be on the same band as we are."

Emergency responders said it takes more time for dispatch to communicate to them than to hear police calls. And that time is precious for first responders.

Fisher said, "So if they're on a scene that maybe we're traveling to and they update saying now the patient is violent or the scene is unsafe, we don't approach that scene. Where now those messages can be delayed seconds or even up to a minuteat atime."

Sadler said it's an issue of where do you draw the line.

He said, "If we were to expand that to EMS and fire, there's still a risk that we don't necessarily know who's listening in."

Fisher said EMS needs to know as soon as possible if a situation they are responding to has become violent.

"So we're not looking to undo what the commissioners have voted to do. We support that. We want the officers to stay safe out in the public. But we're also hoping to keep our people safe in the county," he said.

Fisher said although he has brought the issue to commissioners, none of them have responded to his request yet.

The chief clerk with the commissioners said there was no discussion about changes to the encryption policy at the last county meeting.

40.037875 -76.305514

View original post here:
Lancaster County EMS concerned for safety after decision for police radio encryption - FOX43.com

General Data Protection Regulation (GDPR) together with growing number of data breaches are the most pressing reasons why small and medium businesses are implementing data protection technologies including encryption. With the limited time and market flooded by various products, it can be a difficult task for company owners and decision makers to find the right fit for their needs.

If you are faced with the decision yourself, avoid pitfalls in selecting an encryption product by asking the following questions:

This might seem like a pointless question with an obvious answer; systems are more liable to loss or theft when away from the office, but making this distinction and keeping it in mind is the right place to start and when you have settled on a solution, be sure to test its effectiveness at managing problem scenarios for your remote users.

All major Endpoint Encryption products offer the means to manage remote systems, but look carefully at the requirements. Most need either an open incoming connection to a demilitarized zone (DMZ) on your Server, or a VPN connection. All involve a higher level of IT skills and additional costs and may require the user to initiate the connection to function; not much use with a rogue employee or stolen laptop. A well-designed product will give you the remote management necessary without creating additional security problems, requiring specialist knowledge or adding expense to the project.

Why is this important?

Being able to quickly vary security policy, encryption keys, features and operation of endpoint encryption remotely, means that your default policy can be strong and tight. Exceptions can be made only when and where they are needed, and reverted just as easily. If you cant do this youll be forced to leave a key under the doormat just in case, tearing holes in your policy before deployment is complete.

The answer might be crucial if a company computer with full-disk encryption gets stolen while in sleep mode or with operating system booted up, not to mention those systems with the pre-boot password affixed on a label or tucked in the laptop bag. If a remote lock or wipe function is not available, then the system is either unprotected or secured only by the OS password, with the encryption being bypassed in either case.

Similarly, it is important to know whether the solution has been designed to accommodate the typical use-cases that would otherwise unravel a well-designed security policy.

With an array of writeable devices that people use for their everyday work, it is almost impossible for the admins to whitelist each and every one of them and decide if they can be read from or written to. It is much easier to set a file-level policy distinguishing between files that need encryption and those that dont and keep these protected every time they move from workstation or corporate network to any portable device.

In other words, if you connect your own USB stick, it wont force you to encrypt your private data, however anything coming from the company system will be encrypted without the keys being held on your device. A simple idea, but one which makes any device safe, without the need for whitelisting.

If the setup of the solution takes hours or even days and needs additional tools for its operation, it might cause new headaches for company admins and create new security risks. Aim for an easy-to-deploy solution that doesnt require advanced IT expertise, preserving your finances as well as human resources. If the user-experience mirrors that easy deployment, then IT staff wont be further taxed by user-lockouts, lost data and other frustrations.

Closing remarks: The security was there a long time ago; what will make or break your deployment is flexibility and ease of use.

All validated, commercial encryption products have been more than strong enough for many years, yet a significant proportion of the recorded data breaches involving lost or stolen laptops and USB drives happened to organizations who had bought and deployed encryption products. Reading the case notes for these incidents reveals being able to fit the solution your environment and working practices and making encryption easy for everyday users as the real challenges.

See more here:
Five good questions to ask before buying encryption - Techseen

By Mike Wuerthele Thursday, August 17, 2017, 11:14 am PT (02:14 pm ET)

First spotted by Redmond Pie on Wednesday, Twitter user "xerub" posted the information, and an extraction tool for the Secure Enclave firmware, in advance of the Singapore Hack in the Box conference.

The tool and hack is not for the inexperienced. The outputs of the tool are binaries of the kernel and related software regulating the communications between the Touch ID sensor and Secure Enclave but not any information transmitted presently or in the past between the Touch ID sensor and the Secure Enclave.

The exposure of how to extract the encryption key from an iPhone 5s does not mean that the device is no longer secure. However, it does mean that people angling to make exploits for the device are able to examine the Secure Enclave firmware on the device in more detail than previously possible.

At present, there is no known exploit utilizing the tool, or the gleaned data, and it is not clear how one would even be produced or installed on a target device. Any exploit developed with the tool would be specific to the iPhone 5s, and require physical access to the device to load custom firmware as well.

Apple's Secure Enclave is in Apple's A7 processor and later and provides all cryptographic operations for data protection in iOS devices. The Secure Enclave utilizes its own secure boot and can be updated using a personalized software update process that is separate from the application processor which is how any exploit would have to be installed, one device at a time.

The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access. Each pairing of the Touch ID uses the shared encryption key, and a random number to generate that session's full encryption key.

Read the original:
Encryption key for iPhone 5s Touch ID exposed, opens door to ... - AppleInsider (press release) (blog)

Share

Share

Share

Share

Print

Email

Venafi, the provider of machine identity protection, announced Thursday (Aug. 17) that, based on survey results, the majority of IT security professionals think encryption backdoors arent effective and can be potentially dangerous.

The survey, which polled 296 IT security professionals on encryption backdoors found 72 percent of the respondents do not believe encryption backdoors would make their nations safer from terrorists. Giving the government backdoors to encryption destroys our security and makes communications more vulnerable, said Kevin Bocek, chief security strategist for Venafi, in a press release announcing the results of the survey. Its not surprising that so many security professionals are concerned about backdoors; the tech industry has been fighting against them ever since global governments first called for unrestricted access. We need to spend more time protecting and supporting the security of our machines, not creating purposeful holes that are lucrative to cybercriminals.

Other findings in the survey include that only nine percent believe the technology industry is doing enough to protect the public from the dangers of encryption backdoors, while 81 percent feel governments should not be able to force technology companies to give them access to encrypted user data. The survey also revealed 86 percent believe consumers dont understand issues around encryption backdoors. Encryption backdoors create vulnerabilities that can be exploited by a wide range of malicious actors, including hostile or abusive government agencies, said Venafi in the release. Billions of people worldwide rely on encryption to protect critical infrastructure including global financial systems, electrical grids and transportation systems from cyber criminals who steal data for financial gain or espionage, the company noted.

This isnt the first time that IT professionals have expressed concerns about encryption backdoors. A survey in January of 2016 found 63 percent of IT professionals remain opposed to the idea. According to a survey by global IT and cybersecurity association ISACA, nearly 59 percent of respondents said privacy was being compromised by the governments effort to impose stricter cybersecurity laws. The Cybersecurity Snapshot shows that the professionals on the front lines of the cyberthreat battle recognize the value of information sharing among consumers, businesses and government but also know the challenges associated with doing so, Christos Dimitriadis, international president of ISACA and group director of information security at INTRALOT, said in a press release.

Share

Share

Share

Share

Print

Email

Read the rest here:
Survey Says Security Professionals Doubt Effectiveness of Encryption Backdoors - PYMNTS.com

Bob Ackerman Jr. Contributor

Robert Ackerman Jr. is the founder and a managing director of Allegis Capital, an early-stage cybersecurity venture firm, and a founder of DataTribe, a startup studio for fledgling cyber startups staffed by former government technology innovators and cybersecurity professionals.

Throughout the course of human history, disruptive innovation has been required to unleash higher tiers of human potential. Think of Gutenberg and movable type, Edison and electricity or Berners-Lee and the World Wide Web.

We are in need of another such breakthrough today. Cloud computing and the Internet of Things (IoT) embody vast promise for advancing civilization. But they also have given rise to seemingly intractable security exposure, including nation-state rifts, not to mention profound quandaries about the erosion of individual privacy.

The good news is that a new technological advance could unleash the full promise of cloud computing and put IoT on the verge of everyday use by U.S. intelligence agencies and in the private sector. This advance two decades in the making is called homomorphic encryption, and it allows data to be queried and analyzed without decrypting it.

Homomorphic encryption is the Holy Grail of encryption, says Ellison Anne Williams, a math PhD, former NSA senior researcher and co-founder and CEO of ENVEIL, a security startup that has fine-tuned a homomorphic encryption system for commercial use.

The explosive growth of cloud computing makes this crucial. Amazon EC2, Google Cloud and Microsoft Azure have made cloud storage and processing services a major enabler of digital commerce. An enterprise that uses one of these services is effectively extending the boundary of their trusted enterprise compute environment, owned and managed by them, to an untrusted location owned and managed by a third party.

The problem is that there is a security gap in cloud services today. Companies routinely encrypt data kept in storage and make certain only encrypted data is transported to and from cloud storage facilities. But in order to act on this data to, say, do a simple search or perform an analytic both the query and the stored data must be decrypted. This creates an opportunity for an alert intruder lurking on the network to steal the data in unencrypted form.

Threat actors are acutely aware of this Achilles heel of cloud computing and are salivating to exploit it. We know this because business networks routinely falter and briefly expose decrypted data. When this happens, security analysts at large enterprises pay close attention. In a few cases recently, network intruders have been detected doing much the same type of reconnaissance of a companys crown jewels.

The current roots of homomorphic encryption date back to 2008, when IBM researcher Craig Gentry came up with a way to perform mathematical operations on encrypted data without first needing to decrypt the data the first working example of homomorphic encryption.

Trouble was, it took gargantuan computing power to make Gentrys rudimentary prototype work. Steady progress was made over time by others, however, and today we are finally on the threshold of seeing homomorphic encryption deployed in daily business use.

Speaking recently at the Billington Cybersecurity Summit in Washington, Jason Matheny, director of the governments Intelligence Advanced Research Projects Activity (IARPA), told attendees it has taken math magic for this technology to arrive at this point. IARPA is in the late phase of developing a database query system based on homomorphic encryption.

The embrace of homomorphic encryption is powerful. For example, authorities, acting on evidence, will be able to search travel and financial records or telephone and email logs, while, say, hot on the trail of a terrorist. And they will be able to do so without ever exposing the underlying data personal information that belongs to the wider citizenry, muting the possibility of abusing power.

Computer processing power, of course, has advanced steadily since IBMs Gentry produced his prototype. But it is really the collective brainpower of a group of math geniuses who followed him that brought us to the point we are at today. Driving efforts within the federal government and in private research labs at places like IBM and Microsoft, these highly insightful experts have been pushing the envelope.

Last year, Microsoft researchers smashed a homomorphic encryption speed barrier. While there is still work to be done, Kristin Lauter, a principal research manager at Microsoft, has said that initial results look very promising and that the technology could be used, for example, on specialized devices for medical or financial predictions. We are definitely going toward making it available to customers and the community, she told The Register, a British technology news website.

IBM also continues to make progress. It has been granted a patent, for instance, on a particular homomorphic encryption method. This is a strong hint that it continues to work toward a practical solution, not simply continued pursuit of theoretical research. Meanwhile, ENVEILs Williams, who spent years at the NSA chiseling away at a practical version of homomorphic encryption, now has 10 pending customers analyzing its proof of concept.

It is in the commercial arena, in particular, where homomorphic encryption is destined to be truly disruptive. To start with, it shrinks the attack surface for organizations increasingly dependent on cloud services. That alone will make compliance much easier, both in meeting data handling rules and, for governments, enforcing them. Neither is a small feat. Meeting federal rules for the handling of medical and financial records or the handling of transaction data is significantly easier for companies with well-defended networks.

Meanwhile, regulatory pressure to better protect data is intensifying. There is a rising tide of state-imposed data security rules, such as those recently enacted in New York, Massachusetts, Vermont and Colorado. In addition, there is Europes pending new General Data Protection Regulation, one replete with exhaustive data protection requirements and onerous penalties if they are not met.

A key byproduct of the elimination of the unencrypted security gap will be heightened innovation, and at an important juncture. Consider, for example, the oceans of sensitive personal information that will be collected as IoT continues to grow. Analysts will be far more inclined to gather this broad expanse of data if they know it will be protected properly. They are keenly aware of a personal privacy line that must not be crossed in mining IoT data for marketing purposes, lest consumers revolt.

Beyond consumerism, opportunities to enhance the world of medicine could open up with the embrace of homomorphic encryption. Imagine, for example, medical researchers being able to query millions of HIPAA-protected patient records to identify disease trends by demographics and geographic location. We could enter a golden age of medical advances.

No doubt, other amazing developments are sure to spin out of the mainstreaming of homomorphic encryption. Stay tuned. This disruption can change everything for the better.

Read the original post:
Changing the security landscape for entrepreneurs - TechCrunch