The European Commission has begun taking more decisive steps toward secure, encrypted communications. But while all of these steps may be positive, not all of them are identical.

Recently, the EU executive has made it clear that staff should use the messaging app Signal, a less popular, but a potentially more secure competitor to WhatsApp. This comes after countries in the EU failed to agree on governing rules for WhatsApp (as well as for Skype), as part of discussions on the recent ePrivacy regulation. But at the same time, the European External Action Service (EEAS) has decided to create its own messaging platform for EU officials to use in their work across the world.

As the EEAS is the EUs delegation to countries across the planet (including to dangerous crisis zones or states that potentially harbour ill-will), it is unsurprising theyve opted for something more advanced than their EU commission counterparts.

Instructing their staff to steer clear of the EU Commissions chosen platform, Signal, the EEAS has opted for a more tailored approach. While Signal is widely used and praised for its security and level of encryption, the EEAS believes it needs something even more advanced. Their sights are set on a secure, instant messaging tool to be used for exchanges of classified EU restricted information.

What are the exact details of the EUs new messaging app?

Staff members for the EU Commission need a secure messaging tool for unified communication in order to ensure greater mobility with collaboration, to centralize information, and to boost overall efficiency. However, the EEAS has, unsurprisingly, remained quiet when it comes to revealing details about their new messaging tool. However, while internal security features were kept under wraps, it has been revealed that the new tool has been deployed since late Q3 2019.

Nobody can be sure just how exactly the EEAS is encrypting its messages across the new tool, or what software, protocols, or security auditing techniques it is based on. Its ability to protect data is another question mark. It also remains unclear whether the tool has been tested under a rigorous data protection impact assessment, although, as assessments like this are currently required by EU legislation, it is likely this will be the case.

This isnt to say that the EU has a perfect history with data protection. It was only recently that it ran into data related trouble when they hired NationBuilder, a company swamped in controversy after its role in President Donald Trumps 2016 US election win and Brexit.

A new focus on encryption

While the EEAS is focusing on its new tool, the EU commission has adopted Signal in its efforts to become more secure. An end-to-end encryption app, Signal is ideally placed to help these bolstered security efforts.

Beyond the EU, Signal is a favourite choice for security and privacy experts due to its open-source technology and end-to-end encryption. Features such as automatic message deletion help to prevent messages being read by third parties, and its open-source allows multiple developers to improve its security.

Developed in 2013 by security experts, Signal is backed by WhatsApp creator Brian Acton, who famously clashed with Facebook in 2017. It is specifically designed so that the people running the Signal platform cant see any of your messages or listen to your calls and neither can any bad agents.

While WhatsApp can claim it is based on the same protocol as Signal (called Open Whisper Systems), it cannot claim to be open source. It also has a murky history of being used to apparently deliberately mislead EU officials when it came to how data was used.

The EUs increasing security concerns

The EU has a patchy history when it comes to data leaks, so it comes as no surprise that it is attempting to enhance its level of cybersecurity.

In late 2018, it was discovered that thousands of confidential diplomatic cables were taken from the EUs Courtesy system a platform used to enhance foreign policy information. Likewise, in June 2019, it was discovered that the EUs Moscow delegation had suffered a data breach with two computers being hacked. This pattern of almost yearly breaches seems unlikely to stop.

While it should be clear that many governments have historically had little actual idea of how encryption works, considering the large number of cybersecurity crises that have happened, EU officials arent entirely unschooled when it comes to cybersecurity. They already use encrypted emails when sending sensitive information, and classified documents are sent using even more levels of security.

The use of Signal has mainly been adopted for normal communication outside of critical or sensitive exchanges, suggesting the EU is taking cybersecurity seriously across even the less vulnerable channels.

That said, the adoption of encrypted platforms like Signal might not be received with open arms. Governments across the world from Washington to Brussels have typically been against impossible to crack encryption, as it can hinder law enforcement efforts. Whether this will influence any of the EUs security decisions, however, remains to be seen.

Increased security across the board

The EU has demonstrated, through its creation of a new messaging tool and its adoption of Signal, that it is putting an emphasis on encryption. It understands the need for cybersecurity and appreciates the level of advanced encryption that is needed to stay secure in the modern world. It is likely that more technologies will be adopted by the EU in the near future.

Link:
The story behind the Commission's new emphasis on encryption - EURACTIV

Celebrities like Jennifer Lawrence, Emma Watson, Miley Cyrus, and Holly Willoughby amongst others have become victims of hackers who have stolen private images off their cell phones and released them on the internet. With smartphones being an integral part of every individuals everyday life, the threat of having any information stolen is very much real. It is essential that every individual has a basic knowledge about cybersecurity and encryption, which is lacking amongst the public at large.

Once a cyber-criminal gets hold of your smartphone, a whole pool of knowledge about yourself, ranging from casual conversations to your bank information, becomes available to him. It becomes very easy for that cybercriminal to get information about life and your choices. Thus, it is of utmost importance that a smartphone is protected by encryption, thus protecting your sensitive data in case your device falls in the wrong hands.

Encryption helps save your smartphones data in a scrambled and unreadable form. Thus a smartphone that would have a huge pool of data including text messages, emails, contacts, photos, and various documents would be protected from being hacked via encryption. Full Disk Encryption i.e., FDE, would encrypt all the necessary data on your device. It is the encryption done on a hardware level.

Encryption automatically helps protect any information by converting it into a scrambled and unreadable form. This data cannot be read unless the user has some right authentication key such as password, PIN, or a lock pattern. When the correct authentication key is entered, the phone decrypts the data, thus making it readable.

If you are an average user, you might be under the impression that you dont have any sensitive data on your device. However, it is still advisable to encrypt your phone since the cybercriminal would still have access to your private information such as your emails, home address, personal photos, and more. Whether the cybercriminal intends to wipe off the data of the stolen phone or steal any data, it is advised that you keep all your data protected.

Android introduced default encryptions in 2014, but it wasnt until the release of Android 6.0 Marshmallow in 2015 that Google started requiring manufacturers to enable encryption on all devices out of the box.

Apple began encrypting iOS devices in 2014 with the release of iOS 8. This means that Apple can still access any device before this update if law enforcements present the company with a warrant. With iOS 8 and beyond, Apple can no longer bypass the lock and gain access to the data, which means that it can only be accessed with the devices PIN.

The performance of the smartphone will be affected slightly. Because of this reason, encryption of older devices is not advised.

There is no coming back once the phone is encrypted. The only way of un-doing encryption is to factory reset the phone.

Over a period of 2 decades, Adeptia has grown gradually and extended its capacity throughout the pioneered leading-edge capabilities in API integration, self-service integration, application integration and data integration. Today, Adeptia has more than 125+ employees who are integration experts. The company is committed to solving complex business data integration requirements taking into consideration that it enables competitive advantage. This is done to enable competitive advantage via faster customer data onboarding. Basically, Adeptia helps its clients to become more capable by taking the responsibility of their IT requirements.

The entire process of encryption takes approximately an hour. It mainly depends on what is the quantum of data in your device. Make sure that the smartphone is fully-charged and that you have enough time on your hand.

This is exactly where Adeptia comes in. Adeptia was founded in 2000 by Deepak Singh in New Delhi. A small group of IT enthusiasts saw a bright future in automatic extracting, transforming, and loading ETL functions for critical business data. Most businesses utilize customer business data for integration cases that involve complexity, extension, change management and usability. The software crafted by the IT pioneers would serve few of the most demanding data production environments in the market.

Knowingly or unknowingly, we pour a lot of personal information online or on our device. The number of apps we are heavily relying on alone contains quite a lot of personal information that we wouldnt want any third person to come across. Come to think of it, Facebook and Google are both holders of a huge amount of personal data of the users, such as location, interests, photos, websites visited, and more.

Third-party apps that require sign-ups using email-id or Facebook are also risky. One of the most recent examples of third-party apps that put users data at risk has been the exciting game, Pokemon Go. The much-loved game was one of its kind, where millions signed up instantly on the first version of the app. However, before an updated version was released, the iOS app only gave new users the option to play if they agreed to provide full access to all of their Google account information. This gives the right to Google to potentially see and modify nearly all information in your Google Account.

Mobile security breaches can happen in different forms ranging from downloading malware-infected apps to hopping on a hackers faux wi-fi. What also makes the cybercriminals job easy is poor passwords and weak security pins. This would make accessing your device an easy task. Also, one should be wary of outside resources like free wi-fi, third-party apps, and charging stations where your device can quickly get into the wrong hands.

Necessary encryption protects the information you directly input into your mobile and the data saved on the cloud. However, that encryption has no hold on any information which is stored on the device. Encryption levels of any instrument are measured via the Advanced Encryption Standard (AES). AES levels vary from device to device, though the benchmark should be 256 AES. This is the maximum-security level available to consumers, and a standard that we have kept to our debut UK mid-range mobileGenio.

Not everyone will require high-standard levels of encryption. But it is of utmost importance that one is wary of the information that is shared online and being put into your phone. What is even more important is that care is taken of changing your passwords on a regular interval and that the contents are adequately protected.

People at large should be aware of the phones encryption levels and that there are no loopholes left, which would make the task easier for any hackers. Cybercrimes are on a rise. Hacking has become a regular occurrence on a global scale, making it very important to be vigilant in the protection of your personal data.

Louise Campos, social media, content marketing and communications strategist

Excerpt from:
What is demystifying mobile encryption and its necessity - ITProPortal

The email encryption software market is expected to hold a share of over 25% in 2026 due to the rising uptake of security software to protect data from malware, identity thefts, and phishing. As email is one of the widely used communication methods used by enterprises, the demand for email data protection software to secure various aspects of email systems including content, media attachments or email access increases. The software encrypts data in transit and at rest and also supports multi-factor authentication for additional security, ensuring that sensitive information is always protected in line with regulatory compliance.

The on-premise deployment model segment held over 70% of the encryption software market share in 2019 and is projected to maintain a dominant position over the forecast timeline. The enterprises prefer an on-premise deployment model approach due to the high security associated with managing sensitive data in-house and gain access to cryptography keys for enhanced security. However, with the growing popularity of cloud platforms to store enterprise data due to high scalability and cost benefits, the demand for cloud-based encryption software is expected to accelerate over the forecast timeline.

Get sample copy of this research report @ https://www.gminsights.com/request-sample/detail/4484

The retail sector is currently observing heavy intake of third-party services to strengthen online transactions and to maximize customer experience. This has triggered a wave of cybercrimes such as data breaches which could exploit customer's sensitive data including personal credentials and credit card & bank account details.

Data privacy and protection are among the top-most priorities of today's tech-driven industries. With growing concerns, the encryption software market is expected accrue sizeable proceeds in the coming years. In a bid to combat cases of data breaches and cyber frauds, various countries worldwide have started imposing stringent regulations. Authorities are even trying to create awareness by educating the population about cybercrimes.

Stating an example from China, in November 2019, the State Cryptography Administration (SCA) issued a draft for an encryption law that would regulate encryption in the public and private sectors. This draft would help Chinese authorities establish guidelines on the use of cryptography which in turn would protect national security.

Make an inquiry for purchasing this report @ https://www.gminsights.com/inquiry-before-buying/4484

The competition in the encryption software market is characterized by strategic partnerships, new product launches, and geographic expansion. For instance, in November 2019, Sophos partnered with Telefonica UK (O2) to provide its products & services to Telefonica's customers in the UK. The partnership enables the customers to gain access to Sophos Central cloud-based security platform to secure their organizations. The company's products & services also enable customers to minimize cybersecurity risks by using behavioral analytics and machine learning to identify known & unknown threats.

Latin America encryption software market is expected to grow at a CAGR of over 18% from 2020 to 2026 due to the rising number of cyberattacks on the business-critical infrastructure, growing usage of digital platforms among enterprises to conduct business transactions, and supportive government initiatives to promote cybersecurity. For instance, since December 2019, the Mexican institutions including Mexico Central Bank, the National Defense Ministry (Sedena), Mexico Supreme Court, and the House of Representatives recorded more than 45 million attempted attacks to access databases and steal information. The rapidly evolving threat landscape has compelled public & private enterprises to promote digital security to safeguard sensitive business information. The government agencies in the countries including Mexico, Brazil, and Argentina are introducing cybersecurity strategies to respondto a wide array of cyberattacks

About Global Market Insights:Global Market Insights, Inc., headquartered in Delaware, U.S., is a global market research and consulting service provider; offering syndicated and custom research reports along with growth consulting services. Our business intelligence and industry research reports offer clients with penetrative insights and actionable market data specially designed and presented to aid strategic decision making. These exhaustive reports are designed via a proprietary research methodology and are available for key industries such as chemicals, advanced materials, technology, renewable energy and biotechnology.

Contact Us:

Contact Person: Arun HegdeCorporate Sales, USAGlobal Market Insights, Inc.Phone:1-302-846-7766Toll Free: 1-888-689-0688Email: [emailprotected]

Read more from the original source:
Encryption Software Market 2020 by Future Trends and Current Business Growth To 2026 - Technology Magazine

The release of Kubernetes version 1.18 comes at an interesting time, to say the least. The Kubernetes release team has done an amazing job of pushing out the new version despite all the turmoil and uncertainty caused by the spread of COVID-19, which impacts the global Kubernetes developer community members like everyone else.

The release features a number of new enhancements and changes. New and maturing features include enhanced security options, improved support for Windows, multiple extensions to the Container Storage Interface, and more. We will cover a few of these changes and enhancement highlights.

Version 1.18 includes several backwards-incompatible changes that users and developers need to know about before upgrading.

kubectl no longer defaults to using http://localhost:8080 for the Kubernetes API server endpoint, to encourage using secure, HTTPS connections. Users must explicitly set their cluster endpoint now.

Cluster administrators can choose to use a third-party Key Management Service (KMS) provider as one option for encrypting Kubernetes secrets at rest in the etcd data store backing the cluster. The KMS provider uses envelope encryption, which uses a data encryption key (DEK) to encrypt the secrets. Kubernetes stores a KMS-encrypted copy of the DEK locally. When the kube-apiserver needs to encrypt or decrypt a Secret object, it sends the DEK to the KMS provider for decryption. Kubernetes does not persist the decrypted DEK to storage.

Release 1.18 makes several changes to the KMS provider interface used for EncryptionConfiguration resources. The CacheSize field no longer accepts 0 as a valid value; the CacheSize type changes from int32 to *int32; and validation of the Unix domain socket for the KMS provider endpoint now happens when the EncryptionConfiguration is loaded.

Weve compiled a checklist to help ensure your K8s clusters are production-ready for security, stability, and scale.

Download Today

To simplify the configuration and security of Kubernetes API calls that involve streaming connections to containers, this change deprecates two streaming configurations.

Kubernetes persistent volumes default to giving containers in a pod access to the volume by mounting the filesystem, a suitable method for the majority of applications and use cases. However, some applications require direct access to the storage block device, notably certain databases that use their own storage format for increased performance.

This enhancement allows users to request a persistent volume as a block device where supported by the CSI and underlying storage provider. In the corresponding pods container specification, users can set the device path which the containers application can use to access the block device.

The horizontal pod autoscaling (HPA) API allows users to configure the automatic addition and removal of pods in a replica set based on various metric values. This enhancement adds an optional behavior field to the HorizontalPodAutoscaler resource type. Users can set the scale-up and scale-down rates, enabling them to customize the HPA behavior for different applications. For example, an application like a web server which sometimes gets sudden spikes in traffic may require adding new pods very quickly.

Because web servers are generally stateless, pods could also be removed quickly when the traffic subsides. On the other hand, users may want to slow the scale-down for deployments with a higher initialization overhead, e.g., containers running Java.

Cloud providers and many on-premises environments offer multiple zones or other topological divisions that provide redundancy in case of a localized failure. For applications to benefit from the independent availability of multiple failure zones, replicas need to be deployed to multiple zones. However, the default Kubernetes scheduler had no awareness or options for spreading a replica sets pods across zones.

This feature adds an optional topologySpreadConstraints field to the pod specification. Users can select node labels to use for identifying these domains and configure the tolerance and evenness for replica placement.

Currently, Secret and ConfigMap objects mounted in a container periodically get updated with the new object value if the associated Kubernetes resource gets changed. In most cases, that behavior is desirable. Pods do not need to be restarted to see the new value, and if a workload only needs the startup value, it can read it once and ignore future changes.

Some use cases may benefit from preserving the secret or config map data as it was at the pods start time. Making the data available in the mounted volume immutable protects applications from potential errors in updates to the underlying Kubernetes object. It also reduces the load on the kubelet and the kubeapi-server, because the kubelet no longer has to poll the Kubernetes API for changes for immutable objects.

This change adds the optional ability to make Secret and ConfigMap objects immutable through the new immutable field in their specifications. A resource created as immutable can no longer be updated, except for metadata fields. Users will need to delete an existing resource and recreate it with new data to make changes. If users do replace an object with new values, they will need to replace all running pods using those mounts, because existing pods will not get updates for the new data.

The ability to create a persistent volume cloned with the data from an existing persistent volume claim as source graduates to generally available. This feature is supported only via the Container Storage Interface, not in in-tree drivers. In addition, the back-end storage provider and the CSI plugin in use must support creating a volume from an existing volumes image. Specify a dataSource in a PersistentVolumeClaim to clone from an existing PVC.

Note that the exact method of cloning depends on the storage provider. Some providers may not support cloning mounted volumes or volumes attached to a virtual machine. In addition, cloning active volumes creates the possibility of data corruption in the copy.

Currently, the kube-apiserver in most Kubernetes clusters uses one of two methods to connect to nodes, pods, and service endpoints in the cluster. In most cases, the server makes a direct connection to the target, but this ability requires a flat network with no overlap between the IP CIDR blocks of the control plane, the nodes, and the clusters pod and service network.

The other method, largely used only in Google Kubernetes Engine, creates SSH tunnels from the control plane network to the cluster. The reliability and security of the SSH tunnel method have not held up well. SSH tunnel support in Kubernetes has been deprecated and will be removed altogether in the future.

As a replacement, this feature creates an extensible TCP proxy system for connections from the control plane to endpoints in the cluster. It uses the new Konnectivity service, with a server component in the control plane network and clients deployed as a DaemonSet on the cluster nodes. This architecture simplifies the API servers code base, as well as opening up the possibility of using a VPN to secure and monitor traffic between the control plane and the nodes and offering other opportunities for customization.

We just covered a handful of the enhancements in the 1.18 release, focusing on new features that may be extremely useful to some users and others which highlight the ongoing work to improve the security posture of Kubernetes and to address the complexity of the code base, which had created issues and questions during last years audit. Check out the (soon to be published) official release notes for a complete list of changes. Also, in case you missed it, you can find a great interactive tool for searching Kubernetes release notes at https://relnotes.k8s.io/.

View original post here:
Whats New in Kubernetes 1.18? Enhancements and Feature Updates - Security Boulevard

Apart from the obvious health and economic impacts, the coronavirus also presents a major opportunity for cybercriminals.

As staff across sectors and university students shift to working and studying from home, large organisations are at increased risk of being targeted. With defences down, companies should go the extra mile to protect their business networks and employees at such a precarious time.

Reports suggest hackers are already exploiting remote workers, luring them into online scams masquerading as important information related to the pandemic.

On Friday, the Australian Competition and Consumer Commissions Scamwatch reported that since January 1 it had received 94 reports of coronavirus-related scams, and this figure could rise.

As COVID-19 causes a spike in telework, teleheath and online education, cybercriminals have fewer hurdles to jump in gaining access to networks.

The National Broadband Networks infrastructure has afforded many Australians access to higher-speed internet, compared with DSL connections. Unfortunately this also gives cybercriminals high-speed access to Australian homes, letting them rapidly extract personal and financial details from victims.

The shift to working from home means many people are using home computers, instead of more secure corporate-supplied devices. This provides criminals relatively easy access to corporate documents, trade secrets and financial information.

Read more: What's your IT department's role in preventing a data breach?

Instead of attacking a corporations network, which would likely be secured with advanced cybersecurity countermeasures and tracking, they now simply have to locate and attack the employees home network. This means less chance of discovery.

Cryptolocker-based attacks are an advanced cyberattack that can bypass many traditional countermeasures, including antivirus software. This is because theyre designed and built by advanced cybercriminals.

Most infections from a cryptolocker virus happen when people open unknown attachments, sent in malicious emails.

In some cases, the attack can be traced to nation state actors. One example is the infamous WannaCry cyberattack, which deployed malware (software designed to cause harm) that encrypted computers in more than 150 countries. The hackers, supposedly from North Korea, demanded cryptocurrency in exchange for unlocking them.

If an employee working from home accidentally activates cryptolocker malware while browsing the internet or reading an email, this could first take out the home network, then spread to the corporate network, and to other attached home networks.

This can happen if their device is connected to the workplace network via a Virtual Private Network (VPN). This makes the home device an extension of the corporate network, and the virus can bypass any advanced barriers the corporate network may have.

Read more: Hackers are now targeting councils and governments, threatening to leak citizen data

If devices are attached to a network that has been infected and not completely cleaned, the contaminant can rapidly spread again and again. In fact, a single device that isnt cleaned properly can cause millions of dollars in damage. This happened during the 2016 Petya and NotPetya malware attack.

On the bright side, there are some steps organisations and employees can take to protect their digital assets from opportunistic criminal activity.

Encryption is a key weapon in this fight. This security method protects files and network communications by methodically scrambling the contents using an algorithm. The receiving party is given a key to unscramble, or decrypt, the information.

With remote work booming, encryption should be enabled for files on hard drives and USB sticks that contain sensitive information.

Enabling encryption on a Windows or Apple device is also simple. And dont forget to backup your encryption keys when prompted onto a USB drive, and store them in a safe place such as a locked cabinet, or off site.

A VPN should be used at all times when connected to WiFi, even at home. This tool helps mask your online activity and location, by routing outgoing and incoming data through a secure virtual tunnel between your computer and the VPN server.

Existing WiFi access protocols (WEP, WPA, WPA2) are insecure when being used to transmit sensitive data. Without a VPN, cybercriminals can more easily intercept and retrieve data.

VPN is already functional in Windows and Apple devices. Most reputable antivirus internet protection suites incorporate them.

Its also important that businesses and organisations encourage remote employees to use the best malware and antiviral protections on their home systems, even if this comes at the organisations expense.

People often backup their files on a home computer, personal phone or tablet. There is significant risk in doing this with corporate documents and sensitive digital files.

When working from home, sensitive material can be stored in a location unknown to the organisation. This could be a cloud location (such as iCloud, Google Cloud, or Dropbox), or via backup software the user owns or uses. Files stored in these locations may not protected under Australian laws.

Read more: How we can each fight cybercrime with smarter habits

Businesses choosing to save files on the cloud, on an external hard drive or on a home computer need to identify backup regimes that fit the risk profile of their business. Essentially, if you dont allow files to be saved on a computers hard drive at work, and use the cloud exclusively, the same level of protection should apply when working from home.

Appropriate backups must observed by all remote workers, along with standard cybersecurity measures such as firewall, encryption, VPN and antivirus software. Only then can we rely on some level of protection at a time when cybercriminals are desperate to profit.

See original here:
'Click for urgent coronavirus update': how working from home may be exposing us to cybercrime - The Conversation AU

Working From Home Creates New Security Concerns for Companies

The global pandemic caused by the novel coronavirus is changing work environments to an unprecedented degree. More employees than ever are being asked to work remotely from home. Along with the new work practices comes a variety of security challenges.Without the proper precautions, working from home could become a cybersecurity nightmare, says Purdue University professor Marcus Rogers. Criminals will use the crisis to scam people for money, account information and more, he says. With more people working from home, people need to make sure they are practicing good cybersecurity hygiene, just like they would at work. There is also a big risk that infrastructures will become overwhelmed, resulting in communication outages, both internet and cell.Covid-19 concernsConcerns about the coronavirus have increased the business worlds dependence on teleworking. According to Cisco Systems, WebEx meeting traffic connecting Chinese users to global workplaces has increased by a factor of 22 since the outbreak began. Traffic in other countries is up 400% or more, and specialist video conferencing businesses have seen a near doubling in share value (as the rest of the stock market shrinks).Basic email security has remained unchanged for 30 yearsEmail is a core element of business communications, yet basic email security has remained unchanged for 30 years. Many smaller businesses are likely to still be using outdated Simple Mail Transfer Protocol (SMTP) when sending and receiving email. The default state of all email services is unencrypted, unsecure and open to attack, putting crucial information at risk, says Paul Holland, CEO of secure email systems provider Beyond Encryption.With remote working a likely outcome for many of us in the coming weeks, the security and reliability of our electronic communication will be a high priority, says Holland. The companys Mailock system allows employees to work from any device at home or in the office without concerns about data compromise or cybersecurity issues.Acting quickly and effectivelyAs the virus spreads, businesses and organizations will need to act quickly to establish relevant communication with their employees, partners and customers surrounding key coronavirus messages, says Heinan Landa, CEO and Founder of IT services firm Optimal Networks. Employers should also enact proper security training to make sure everyone is up to speed with whats happening and can report any suspicious online activity.Reviewing and updating telework policies to allow people to work from home will also provide flexibility for medical care for employees and their families as needed.Scammers, phishing, and fraudAn additional factor in the confusing environment created by the coronavirus is growth in phishing emails and creation of domains for fraud. Phishing is an attempt to fraudulently obtain sensitive information such as passwords or credit card information by disguising oneself as a trusted entity. Landa says homebound workers should understand that phishing can come from a text, a phone call, or an email. Be wary of any form of communication that requires you to click on a link, download an attachment, or provide any kind of personal information, says Landa.Homebound workers should understand that phishing can come from a text, a phone call, or an emailEmail scammers often try to elicit a sense of fear and urgency in their victims emotions that are more common in the climate of a global pandemic. Attackers may disseminate malicious links and PDFs that claim to contain information on how to protect oneself from the spread of the disease, says Landa.Ron Culler, Senior Director of Technology and Solutions at ADT Cybersecurity, offers some cyber and home security tips for remote workers and their employers:When working from home, workers should treat their home security just as they would if working from the office. This includes arming their home security system and leveraging smart home devices such as outdoor and doorbell cameras and motion detectors. More than 88% of burglaries happen in residential areas.When possible, its best to use work laptops instead of personal equipment, which may not have adequate antivirus software and monitoring systems in place. Workers should adhere to corporate-approved protocols, hardware and software, from firewalls to VPNs.Keep data on corporate systems and channels, whether its over email or in the cloud. The cyber-protections that employees depended on in the office might not carry over to an at-home work environment.Schedule more video conferences to keep communication flowing in a controlled, private environment.Avoid public WiFi networks, which are not secure and run the risk of remote eavesdropping and hacking by third parties.In addition to work-from-home strategies, companies should consider ways to ensure business cyber-resilience and continuity, says Tim Rawlins, Director and Senior Adviser for risk mitigation firm NCC Group. Given that cyber-resilience always relies on people, process and technology, you really need to consider these three elements, he says. And your plan will need to be adaptable as the situation can change very quickly.Employees and their employersSelf-isolation and enforced quarantine can impact both office staff and business travelersSelf-isolation and enforced quarantine can impact both office staff and business travelers, and the situation can change rapidly as the virus spreads, says Rawlins.Employees should be cautious about being overseen or overheard outside of work environments when working on sensitive matters. The physical security of a laptop or other equipment is paramount. Its also important to look at how material is going to be backed up if its not connected to the office network while working offline, says Rawlins.Its also a good time to test the internal contact plan or call tree to ensure messages get through to everyone at the right time, he adds.

Original post:
Beyond Encryption Tests Its Remote Working Policy In Face Of Covid19 | Security News - SecurityInformed

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human cognitive biases are at play. Most people have a long studied desire to prefer the status quo. If this is what was always thought, why think differently?

They are not the only groups of humans to stay anchored to old ways. For years nutritionists believed that all calories in food are the same, including all forms of sugar. This led to the conclusion that we might want to watch calories overall but sugar is great. Now that obesity is an epidemic and diabetes the fastest growing disease in the world, most professionals realize that too much sugar is bad. But even after it was discovered that Harvard medical researchers were paid to lie in studies about sugar, humanity is still almost totally ignoring this topic. Clearly there are cognitive bias issues here too.

The technology community is not immune to getting stuck with an opinion and not wanting to shift, even in the face of evidence. One of the big ones is that you need to use a personal VPN.

In 2010 it was good advice to recommend a VPN for personal use. But in my view, any technologist or security professional recommending that now should be ashamed for not keeping up with the enormous changes in technology over the last decade.

The rest of this post will dive a little deeper into the topic.

To summarize up front: For almost every use case, the only reason to use a VPN is if you are using one provided by a business that requires you to use it to access corporate resources. You do not need a VPN for your home or small business use, even when using public WiFi. Personal VPNs just dont add value to your security posture.

A sponsored piece at CNN says A VPN is vital when working from home. This piece, written in the form of a CNN article but apparently paid for by a VPN provider, claims that data that flows from your computer to the Internet is open and accessible to anyone who can intercept it (this statement is false). They also say that without a VPN, anyone with the right tools can intercept passwords, banking information and everything else you transmit (this is also a false statement).

CNET tells us that Anyone who wants to protect their privacy and security online should use a VPN. This myth is all over the place, especially on sites where companies that provide personal VPN services advertise.

Gizmodo asserts that: The benefits of virtual private networks, or VPNs, are well-documented: They keep you safer on public wi-fi This may have been true in 2010, but the technology of the Internet changed when Gizmodo wasnt watching.

Norton explains that: The encryption and anonymity that a VPN provides helps protect your online activities: sending emails, shopping online, or paying bills. Another 10 year old view.

The highly trusted Consumer Reports claims that Just about all security experts agree that using a VPN, or virtual private network, when youre accessing the internet via computer or phone is a good idea. In particular, a VPN is one of the easiest ways to avoid getting hacked while youre taking advantage of the free WiFi at an airport or library. (This is also a false statement. Additionally, saying Just about all security experts agree reminds me of More doctors smoke Camels.)

An Attorney with the Federal Trade Commission discussing VPNs asserts that: Public networks are not very secure or, well, private which makes it easy for others to intercept your data. This was once very true. But not quite right anymore.

You do not need to use a VPN if you are just trying to secure your personal Internet communications. If you have a well patched operating system and up to date applications, they already establish encrypted communications. This is just the way the Internet and computers work now.

VPN companies would gladly sell you a VPN even if you dont need one, but that may well just introduce more risk. And it does so while slowing your Internet connection and costing you money.

A decade ago having a VPN for your personal use was good advice. A savvy technologist could join a public WiFi network and capture packets and read information from other users, including logins, passwords, or even financial information, depending on what people were doing on the WiFi. Soon as a way of showing how this could be done was coded into a browser plugin called FireSheep. The author of this plugin, Eric Butler, did a great service for WiFi security. By showing these vulnerabilities he motivated significant changes.

Other attacks possible in the old days included ways to trick your browser into thinking an attacker is the ultimate destination. The attacker sits in the middle of comms between the user and the ultimate destination and breaks the encryption and replaces it with his own. This is a man-in-the-middle attack.

In part due to problems of unencrypted traffic and man-in-the-middle attacks, the technology of the Internet and devices and applications have changed pretty significantly.Changes in the way the Internet and our systems work include:

So, today Almost all web traffic is now encrypted. And ifan attacker tries a man in the middle attack against your web browsing session you will get a warning and the comms will stop. The warning varies from Chrome to Safari to FireFox but all now prevent this type of attack by checking to see if the certificate that set up the HTTPs encryption matches the correct version maintained in trusted stores online.

Here is what you will see if an attacker is on your public WiFi and tries a Man in the Middle Attack:

VPNs come with their own risk. There are risks that the VPN company you have picked are not protecting your traffic the way the promised. There are risks that they are logging your info in ways they claim they are not. If you think you are using a VPN to protect yourself from government surveillance, they may actually be making it easier on the government to surveil you. (the EFF provides many great references on some of the issues with VPNs, including here and here).

Nothing is ever perfectly safe (this is about managing risk). But since modern applications set up encrypted channels already, we are at the point where personal VPNs do not seem to add anything that reduces real risk.

As previously mentioned, there are reasons for companies to require a VPN for remote employees. This type of VPN can be used to help companies ensure governance over their data and ensure only authorized users are accessing corporate resources. These also help companies that want to search traffic for malicious code. This corporate VPN needs to be managed and updated of course (see recent CISA statement of corporate VPN vulnerabilities being exploited during the Coronavirus crisis). But in general it can be very smart for a corporation to use this method for access to corporate resources. There are new changes in the offing here too, and VPNs are not the answer to every corporate need (corporate technologists should be closely tracking developments in the software defined perimeter and zero trust worlds, including Googles Beyond Corp approach).

Many people recommend that journalists and activists and others operating overseas use a VPN, and there may be good reason to do this if operating in a hostile nation. However, the threat model there is very different. And in many cases, using a VPN there will just give a false sense of security. The hostile nation may well be reading all the VPN traffic and logs anyway. People in these situations need far more security than a VPN (including secure messaging systems).

Some people use VPNs so they can pretend to be using the Internet from a certain geography. This is certainly a good use case if you want to do that. But this does not add security.

But I have not seen any argument by a technologist familiar with how the Internet works today that says paying for a personal VPN makes sense for the average user or small business. It does nothing to improve your security or reduce risks in any meaningful way. In fact, it may actually introduce new risks.

How could it be that so many security professionals are out there right now advising people at home or small businesses to use a VPN? I can only imagine they have not kept up with how the architecture around them has been changing. And of course no VPN company is going to say they are not needed anymore. But the biggest reason is probably the same reason doctors promoted tobacco or we all thought sugar was ok. It is a bias towards the status quo by people who have not wanted to learn how the Internet has changed.

There are certainly many other important things to do to reduce risk.Chief among those things is using an up to date OS and up to date applications (see this list of tips to reduce personal risk and this list to reduce business risk).

And one final point: If the Chinese Ministry of State Security (MSS) or Russias Foreign Intelligence Service (SVR) wants to mount an effort against your Internet use, you have a different threat profile than most of us. But if you think a VPN will slow them down you are fooling yourself. If you need to mount a defense against them lets talk, we can help, but a VPN is not the thing that will save you from them.

Latest posts by Bob Gourley

Related

Originally posted here:
Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice - CTOvision

AUCKLAND, New Zealand, March 24, 2020 /PRNewswire/ -- MEGA The Privacy Company announced today that free 12 month PRO subscriptions would be available to teachers and students of verified educational institutions.

Stephen Hall, Executive Chairman of MEGA, said, "The encrypted cloud storage and chat provided by MEGA provides an excellent basis for continued teacher-student interaction, allowing effective remote learning."

Many educational institutions have closed in order to limit the spread of Covid-19. MEGA's platform provides the ideal features to allow students to continue their studies by connecting to teachers and teaching resources.

Recently a private school in Portugal quickly and easily shared folders to nearly 2,000 accounts, facilitating their remote learning activities.

MEGA is now offering all educational institutions free PRO accounts for all their teachers and students. This will allow them to

MEGA is available in Arabic, Chinese (Traditional and Simplified), Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Polish, Portuguese, Romanian, Russian, Spanish, Tagalog, Thai, Turkish, Ukrainian and Vietnamese.

Educational Institutions should apply to education@mega.nz

After verification of their status, MEGA will provide vouchers, or automatic upgrade for the verified domain, to give all their accounts free PRO status for 12 months, which provides 400 GB of file storage and 1 TB of transfer quota for every account.

*Note: The number of participants in multi-party chats depends on the quality of each user's internet connection. We recommend a maximum of 6 for full multi-party video.

An IT professional working for a Portuguese private school reported to MEGA:

"I'm writing this e-mail to compliment your service. I've created a free account last Friday to help teachers, parents and students to be able to share work while we are all at home because of the covid-19 pandemic. I've shared folders to almost 2,000 users and I must say it's impressive how Mega holds it together, it works flawlessly and every single person that created an account after I sent the invitations are very impressed. I'm here to congratulate you all on an amazing platform, the best I used so far and free. Keep up the excellent job and keep safe. Best regards from Portugal."

Store securely. Chat securely. See - https://mega.nz/pro

About MEGA

MEGA's end-to-end encrypted cloud storage and chat service has stored more than 72 billion files for over 170 million users in 250 countries / territories.

MEGA is accessible in multiple languages from desktop (Windows, macOS and Linux) and Android / iOS mobile apps.

User files are stored in secure facilities in Europe or in countries (such as New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR, depending where the user is based. No user files are stored in, or made available from, the United States of America.

MEGA The Privacy Companywas architected around the simple fact that cryptography, for it to be accepted and used, must not interfere with usability. MEGA is accessible without prior software installs and remains the only cloud storage provider with browser-based high-performance end-to-end encryption. Today, millions of business and personal users rely on MEGA to securely and reliably store and serve petabytes of data. We believe that this success is the result of MEGA's low barrier to entry to a more secure cloud.

Logo - https://photos.prnasia.com/prnh/20191219/2676241-1LOGO

SOURCE Mega Limited

Continue reading here:
MEGA Helps Education During Covid-19 with Free PRO Accounts for Teachers and Students - Yahoo Finance