In the past, technology was a topic of discussion primarily among engineers and scientists. Debates would erupt over technology, but they were confined to esoteric conferences, labs or lecture halls.

Our connected world has changed all that. Now its not unusual for people to talk about technology its benefits, challenges and social implications. And those people are not always technical experts.

AI and autonomous cars, cloud, connected medicine and data breaches continue to be hot topics. But various policy and societal factors are pushing another technology issue encryption into the collective consciousness. Thats why we can expect 2020 to be the Year of Encryption.

This year, dialogue about encryption from a business, consumer and policy standpoint will reach a crescendo. This will happen in the U.S. and beyond. Here are a few examples.

Businesses are stepping up their strategies to ensure compliance with the 2020 California Consumer Privacy Act (CCPA). CCPA, which took effect Jan. 1, gives California residents control over their personal data. This will prompt more discussion and education about personal data privacy. And that will give businesses new incentives to employ encryption technology.

Theres movement on encryption at the federal level, too. A bipartisan group of Capitol Hill lawmakers have re-energized a push for encryption backdoors. And the Australian, U.K. and U.S. governments are pressuring Facebook to scrap plans for end-to-end encryption of Facebook Messenger.

Meanwhile, organizations with an international presence continue their work on General Data Protection Regulation (GDPR) compliance. They also must understand how Brexit will impact regulations governing storage and sharing of sensitive data. Such efforts have new urgency given that British lawmakers in December approved the Brexit bill. And businesses want to avoid the significant GDPR fines theyve seen some of their peers absorb.

As for consumers, they want more control and privacy over their data. And the advancement in facial recognition software and concerns about voter information protection leading up the U.S. election only amplify their concerns. Yet consumers are often confused about what data privacy really means and how to enable it.

But a growing number of individuals are now aware that encryption is part of the conversation. Encryption may never be a water cooler topic of conversation on par with Game of Thrones. However, in 2020, it will be more readily understood, discussed and debated than ever before.

Weve also been hearing about the arrival of the autonomous car for some time now. Autonomous cars were once a futuristic idea. But theyre here today, and several businesses have been investing in and experimenting with them.

That has prompted people to talk about autonomous vehicles and their potential benefits and dangers. When these vehicles first arrived on the scene, much of the talk was about their benefits. But experiments dont always go as planned; in fact, some are catastrophic failures.

This highlights the need for organizations to devote more time and effort to tackle the challenges autonomous vehicles present. (One of those challenges involves how to prevent tampering by bad actors.) As a result, the broad use of autonomous cars will be further in the future than originally expected. And the use cases for these vehicles largely will be limited to short distances and specific routes and speeds.

Cloud technology also continues to move forward while simultaneously taking a step back.

On the forward-moving front, worldwide public cloud spending is expected to approach $500 billion in 2023. If that plays out, it would be more than twice the public cloud spend from 2019.

But while adoption of public cloud is growing, many organizations are revisiting private cloud strategies. This boomerang effect is occurring as some organizations realize public cloud doesnt meet all their needs. That is sometimes due to security issues or the challenges of having to rewrite applications. As a result, many organizations that had planned to go 100% public cloud are opting to also use on-premises resources.

If you thought house calls were a thing of the past, think again. Like the cloud, medicine is also now coming back in house, at least to some extent.

In the year ahead expect to see more medical devices make their way into our homes. That includes equipment like breathing machines that used to be found solely in medical facilities.

Technological advances are now enabling manufacturers to make these devices smaller. And the fact that these devices are connected means they can be used at home. That can save time and money for consumers and the medical industry.

Data breaches continued to rise in 2019. And the growing number of medical and other connected devices only increases the threat surface and raises the stakes of cybersecurity. And our data-rich medical records have become the gold standard for todays cyber thieves.

That said, organizations must do more to safeguard the health and well-being of their customers. That involves having the right cybersecurity and personal data protection measures and technology in place.

But they need to do that without creating a lot of friction for their customers.

Finding the right balance is a significant challenge. But its worth the time and effort for organizations, which should figure encryption into the equation.

Too little security can result in loss of business, reputation and even stock value. Meanwhile, the right balance enables compliance, builds trust and allows for business growth and longevity.

Link:
Encryption Will Take Center Stage in 2020 - Security Boulevard

Although today much of the internet traffic is encrypted, attackers can still exploit it. While the need to examine encrypted traffic is obvious, the way to carry out decryption often remains a conundrum. Decrypting traffic can introduce performance bottlenecks and introduce potential privacy and compliance issues if the traffic is fully unshrouded. Finding a way to maintain performance and ensure compliance while also being able to properly examine traffic is becoming critical.

Encrypted traffic needs to be examined to uncover potential functions for controlling botnets and malware that are often hidden within secure tunnels. Examining encrypted traffic will also help investigate various issues. Take, for instance, a workstation that abruptly started to communicate using an outdated encryption algorithm. Such is likely a clear sign of being compromised. Or consider users communicating with servers with untrusted certificates. The ability to analyze encrypted communications such as these is growing more crucial each day for the effective enforcement of security policies.

While only half of internet traffic was encrypted in 2017, today it is over 80%. The era of a fully encrypted internet is already knocking on the door and, naturally, professionals responsible for security and risk management in companies are paying more attention. Encryption complicates the use of traditional security technologies, such as firewalls, and also often makes their use impossible. If you do not know what is hiding in packets, you cannot fully protect the corporate network or individual workstations from malware.

Today, the analysis of encrypted communication should be part of the portfolio of network monitoring and security for every company. Some security solutions are adding such capability, providing the ability to analyze header information of encrypted traffic without having to open the payload. Thanks to this functionality, enterprises are now able to display important details of encrypted communication, including detecting hidden malware. However, the encrypted content cannot be viewed without decryption. So it is important to get as much information as possible when the communication is not yet encrypted during the process of establishing the connection when the exchange of encryption keys and certificates is being conducted.

An example of this connection setup is a SSL/TLS handshake, which is required for establishing encrypted communication during which different TLS parameters are available and visible, including the TLS protocol version used by the server, encryption set, server name (SNI) indication, certificate issuer, public key, certificate validity, JA3 fingerprint and more.

The connection data can then be analyzed or used in different ways to manage the security of the organization. Based on the data, one can receive notifications of changes and events or use it for automatic alerts that are linked to other actions (emailing, running a user script, sending a syslog or an asynchronous notification in the form of an SNMP trap, etc.).

One of the easiest ways to detect malware and process indicator of compromise (IoC) is to analyze JA3 fingerprints. Using JA3 method, one can easily create SSL/TLS fingerprints on any platform. It is much more effective to use JA3 fingerprints to detect malware within SSL/TLS than to monitor the IP or domain IoC. It does not depend on whether the malware uses domain generation algorithms (DGA) or changes the IP addresses for each of its command and control (C2) hosts, not even when it uses, for example, Twitter, to control it. Since JA3 detects a client application directly, it can detect malware based on how it communicates instead of what it communicates through. Thanks to this, special tools such as those in Flowmon, in cooperation with the publicly available JA3 fingerprint database, can detect potential threats from specific JA3 fingerprints in encrypted communication.

Many companies rely on HTTPS communication and certificates issued by a certification authority for a given period to secure their internal communication or web presence. It is important to monitor the validity of the issued certificate to avoid a situation where data remains unsecured for some time. This can be elegantly solved by analyzing encrypted traffic, which provides, among other things, an overview of each certificates expiration. This allows one to monitor expiring certificates and completely avoid the problem of expired certificates altogether. One can also easily detect weak TLS 1.0 encryption with enough time to take all the necessary corrective steps.

Some security solutions provide encrypted traffic analysis on two levels. The first focuses on cryptographic evaluation, i.e. examines versions of the SSL/TLS protocol, cyber suite (encryption algorithms, key lengths) and certificates, while the second focuses on monitoring and security. It offers JA3 fingerprints for possible identification of malware or infected stations and ALPN for identifying protocols in encrypted communication and examines SNI and many other parameters.

For reliable threat protection, companies eventually will need to incorporate security tools based on behavioral analysis, artificial intelligence and encrypted communication analysis. These tools promise to detect malware in real-time encrypted traffic without impacting network throughput or degrading application performance. It will also require changes to existing security strategies to stop man-in-the-middle threats or attempts to steal corporate data promptly.

New security technologies such as these will be indispensable for not just protective security, but also for auditing. The technologies will help detect communications that use outdated certificates in violation of company policy, control the encryption strength or reveal data encryption vulnerabilities. Most organizations today can only get to such detailed overviews at the cost of laborious and time-consuming methods.

In a way, we can apply the Socrates dictum about the unexamined life not worth living to network security. Unexamined traffic undercuts all of the other important security methodologies and makes them not worth having, providing a way for attackers and bad actors to gain access to resources right under the nose of security inside encrypted tunnels. These need careful examination and can be done largely without performance penalties and compliance exposure.

See original here:
Encrypted Traffic Analysis Will Be Mandatory Soon - Security Boulevard

Expect the U.S. Department of Justice and officials from allied countries to push harder for large technology companies to give them access to customers' encrypted communications, and expect the tech companies to continue to resist.

The current push for tech companies to provide encryption backdoors started back in 2014, when then-FBI Director James Comey complained about law enforcement agencies "going dark" because of a lack of access to encrypted email, texts, and other communications. But current Attorney General William Barr and allies in the United Kingdom and other countries have stepped up the pressure on tech companies in recent months.

Encryption has "empowered criminals" as terrorists, human traffickers, and sexual predators shield their activities from police, Barr said in a speech in October. "As we work to secure our data and communications from hackers, we must recognize that our citizens face a far broader array of threats," he said. "While we should not hesitate to deploy encryption to protect ourselves from cybercriminals, this should not be done in a way that eviscerates society's ability to defend itself against other types of criminal threats."

The debate shifted into high gear in December. On Dec. 9, Facebook sent a letter to U.S., U.K., and Australian officials, rejecting their request that the company scrap its plans to offer end-to-end encryption across messaging services.

"We all want people to have the ability to communicate privately and safely, without harm or abuse from hackers, criminals, or repressive regimes," the letter said. "Every day, billions of people around the world use encrypted messages to stay in touch with their family and friends, run their small businesses, and advocate for important causes. In these messages, they share private information that they only want the person they message to see."

A day later, in a Senate Judiciary Committee hearing, Chairman Lindsey Graham threatened Facebook and Apple officials with legislation if they didn't give law enforcement encryption back doors.

"You're going to find a way to do this, or we're going to go do it for you," said Graham, a Republican from South Carolina. "We're not going to live in a world where a bunch of child abusers have a safe haven to practice their craft. Period. End of discussion."

Many cybersecurity experts, however, have warned against the push for encryption back doors.

If law enforcement agencies get access to encrypted communications, it's only a matter of time before criminals figure it out, said Michael Frederick, CEO of software development firm Flatirons Development. There is no "middle ground" compromise to the encryption debate, he added.

"Any back door that is open to law enforcement to allow them to access encrypted materials will inevitably be discovered and abused by those with malicious intentions," he said. "That could be hackers in the U.S., or it could be overseas governments taking advantage of the loophole, presenting a risk to our national security."

When the loophole is discovered and shut down, "we will start this conversation over again," he predicted.

It's "impossible" to allow law enforcement access without also risking hacker access to encrypted communications, added Daniel Goldberg, security researcher at Guardicore, a cloud and data center security vendor.

"Regardless of the method, whether its key escrow or weakened access or any other buzzword of the month, encryption only works if it's total," he said. "If we go down this path, not far is the day when criminal groups or nation-states will have easy access to all private communications of common citizens."

Nevertheless, the push for access isn't all "fear, uncertainty, and doubt," Goldberg added. "By choosing privacy for all citizens, we also allow privacy to criminals," he said. "Law enforcement today relies on a hodgepodge of methods that try to go around end-to-end encryption, allowing sophisticated criminals freedom of action."

Meanwhile, security experts were split in their predictions on whether Congress would act to require law enforcement access. Some saw too much disagreement in Congress to move forward, while others predicted eventual action to require some type of access.

"Unfortunately, I can see Congress, in light of a national emergency or threat, taking action to weaken individual access to encryption technology," said Llewellyn Gibbons, a cyberlaw professor at the University of Toledo College of Law. "I doubt that Congress will take action on this as part of a reasoned debate that considers the commercial as well as individual privacy concerns."

Congressional action would be a significant change in U.S. government policy related to the internet, Gibbons added. "Such a change would be a dramatic shift from the self-government model that the U.S. government has encouraged on the internet."

View post:
Debate over access to encryption isn't going away - Washington Examiner

from the encryption-is-letting-dead-men-get-away-with-crimes-they-already-committed dept

It looks like the FBI wants to relitigate the San Bernardino shooting. After that tragedy, the FBI tried (and failed) to obtain legal precedent forcing cellphone manufacturers to crack open seized phones at the drop of a warrant. Finally, a third party sold a solution to the FBI that opened the phone and allowed it to recover nothing useful whatsoever from the shooter's device.

The FBI was displeased that it didn't get this precedent. Internal communications showed FBI officials were doing everything they could to avoid using a third-party solution. The theoretical existence of evidence related to a tragic shooting was the only leverage the FBI had and a private company's cracking service took that leverage away. It could no longer claim approaching Apple directly was the only way to access the contents of the phone.

The FBI is trying again. It has more locked phones and another shooting to use as leverage.

The FBI is asking Apple Inc. to help unlock two iPhones that investigators think were owned by Mohammed Saeed Alshamrani, the man believed to have carried out the shooting attack that killed three people last month at Naval Air Station Pensacola, Florida.

In a letter sent late Monday to Apple's general counsel, the FBI said that although it has court permission to search the contents of the phones, both are password-protected. "Investigators are actively engaging in efforts to 'guess' the relevant passcodes but so far have been unsuccessful," it said.

Apple is helping the FBI but it's not doing the only thing the FBI really wants it to do. Apple's statement says it's already turned over "all the data in [Apple's] possession." But it's not going to break the devices' encryption.

And no matter what legal precedent the DOJ obtains -- should it decide to force the issue by seeking a court order compelling decryption -- it still may not find anything useful, or indeed anything at all, if it manages to unlock the devices. There's a twist in this case that sets it apart from the San Bernardino shooting.

A law enforcement official said there's an additional problem with one of the iPhones thought to belong to Alshamrani, who was killed by a deputy during the attack: He apparently fired a round into the phone, further complicating efforts to unlock it.

Shooting someone right in the evidence is a new logistical hurdle -- one that probably can't be cleared with a stack of legal paperwork and precedent. But this is the FBI's latest attempt to undermine device encryption. Attorney General Bill Barr has made it clear he feels encryption is only good for criminals. If the DOJ decides to take another run at this, it will be less likely to back down even if presented with a third-party solution.

The FBI and DOJ are always on the lookout for another tragedy to use as leverage for anti-encryption precedent. Unfortunately, this country produces more than its share of mass shootings, so the FBI and DOJ will always have plenty to work with.

Filed Under: doj, encryption, fbi, going dark, pensacolaCompanies: apple

Read the rest here:
San Bernardino 2.0: FBI Asking Apple To Crack Encryption On Phones Owned By Pensacola Naval Station Gunman - Techdirt

The data protection landscape is rapidly changing in scope, breadth and depth. With changes to data protection laws in recent years, organisations today must keep up with all that is happening in the world of data protection.

Data protection no longer solely applies to risk management such as business continuity and disaster recovery, but also governance and compliance.

The protection of electronically stored information in all its different expressions should be at the forefront of any business. The permanent physical loss of key information, such as customer account information or the loss of confidentiality of sensitive information, could have a severe negative impact on a business and bring with it huge penalties and legal costs.

The loss of confidentiality of information through a data breach can carry high security threats and put businesses of all sizes at risk.

As data and business processes evolve with technological advances, enterprises are actively examining how to improve the data protection function from the perspectives of people, processes and technology. The key to choosing the data protection technologies is to understand the overall data protection infrastructure portfolio into which individual data protection technologies should fit.

The strength is in the hardware

As a solution, data encryption has received strong endorsement from the enactment of state, federal and international data protection legislation. Over the years, the disadvantages of software-based encryption have become increasingly recognised in the industry.

After all, software encryption is only as secure as the rest of the computer or smartphone. In software encryption, there are more possible attacks vectors that can lead, among others, to the ability for a hacker to crack the password. Software encryption tools also share the processing of your computer, which can cause the whole machine to slow down as data is encrypted/decrypted.

Unfortunately, some users remain unaware of the potential to solve these problems with hardware-based encryption. Through an industry-wide, open specification for hardware-based Self Encrypting Drives (SEDs), e.g., Opal Family Specifications, developed by Trusted Computing Group (TCG), the issues caused by software-based encryption are being addressed and the reasons for using a SED continue to grow.

SEDs are storage media that perform on-board encryption/decryption, as well as pre-boot authentication, maintain hashed passwords and offer on-the-fly erasure. In a SED, the entire drive, including the Master Boot Record (MBR) is encrypted and write protected at rest. As a result, the master boot record cannot be corrupted.

Compared to software-based encryption, hardware-based encryption built into a drive offers simplified management, interoperability among drives from different vendors and most importantly no performance impact. In fact, using a SED is much more cost-effective than buying higher performance main laptop processors when software Full-Disk Encryption (FDE) is used. SEDs integrate to systems and image the same as non-encrypting drives, with no initial encryption necessary, nor re-encryption when drives are re-imaged.

SEDs and TPMs the perfect match for data protection

In order to ensure better security, strong user authentication is needed. With a SED, access to the platform is based on secure authorisation performed by the SED and not by the less-secure software that can be spoofed into allowing unauthorised access to data. Combining hardware-based encryption with Trusted Platform Modules (TPMs) can provide even stronger security benefits in personal computers and can be used in a multitude of ways.

The TPM is designed as a root of trust for the computing platform. It can measure components such as the Basic Input/Output System (BIOS) to determine if the system has been hacked or an unauthorised change has been made. The SED has areas of protected storage that can be used in conjunction with the TPM. One use of these protected storage areas would be to keep a copy of sensitive software such as the system BIOS or MBR. If the TPM detects that the BIOS or MBR has been hacked, a new, unaltered copy of the software can be loaded before the system boots, resulting in a self-healing system.

The combination of SEDs and TPMs can also assure strong authentication. In this instance, the SED would store an alternative operating system in a read-only area of the drive. When the locked SED is powered up, a shadow MBR is used to load this pre-boot Operating System (OS).

The purpose of the pre-boot OS is to allow the user to enter their authentication credentials such as passwords, fingerprints, smart cards, or other tokens which are used to unlock the SED so that the normal MBR and OS can be loaded. Even though the SED protects the pre-boot OS from being altered, the TPM can be used to provide another layer of security by measuring the pre-boot OS each time it is loaded to assure that it has not been altered in an unauthorised way.

Some enterprises want to assure that a SED can only be unlocked by authorised users and in an authorised platform. The TPM can be used to store authentication credentials which are required in order to unlock the SED. At power up time, not only must the user enter their authentication credentials, but the TPM must be used in conjunction with the user authentication credential in order to produce the authentication credential which can unlock the SED.

Through combining hardware-based technologies like SEDs with TPMs, enterprises add another layer of security to their systems, ensuring the possibility of any loss of data is drastically reduced.

Protection against future security threats

Hardware-based encryption like that found in SEDs bring a lot of advantages including compliance, stronger security, integrated authentication and low total cost of ownership with an additional benefit of rapid data destruction or crypto-erase. While these convincing reasons remain valid, additional security scenarios provide even more compelling justification for organisations.

Corporations are reinitiating their spending and investments in technology for the future, with information security proving to be a key area to benefit from increased spending. With new approaches such as SEDs, corporations can obtain improved data security without the shortcomings of software-based encryption. Once potential users correctly and completely understand the capabilities of SEDs and the misconceptions are corrected as well, the increasing availability of SED options will provide the solution to cope with data security threats both now and long into the future.

By TCG Storage Workgroup

PrivSec Conferenceswill bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.https://www.privacyculture.com/

Excerpt from:
#Privacy: Self-Encrypting Drives are the answer to data protection concerns now and in the future - Security Boulevard