Ring, everyone's least favorite technological narc, seems to be making steps to keep its footage secure.

The Amazon-owned home security system company now offers end-to-end encryption of the video and audio collected on its battery-powered video doorbells and security cameras. This comes about a year after it enabled end-to-end encryption on its plug-in devices.

End-to-end encryption prevents anyone from grabbing videos or messages as they travel between you and the person you're sending them to. That means it ensures that no one including hackers, government officials, or, ideally, the company that owns the device can read your message or watch your video while it's being sent.

This newly enabled privacy feature also means the video picked up from a Ring camera can only be accessible from the iOS or Android device linked to an owner's account. According to the Verge, if you have end-to-end encryption enabled on your Ring camera, no one but you can access the recorded footage. This change is basically increasing the security features on Ring, which already encrypts video and audio recordings by default when they're uploaded to the cloud or stored on Ring's servers.

"Even if law enforcement asked Ring, or its parent company Amazon, for the video, they couldn't provide it," according to the Verge. "Only the enrolled mobile device can unlock the video."

As Mashable previously explained, end-to-end encryption "basically takes your message, jumbles it up, sends it, and unjumbles it once it reaches your recipient. So anyone who tries to intercept your message in between you and your recipient just gets a bunch of mess instead of the message itself."

That doesn't mean your Ring video cameras are completely harmless or safe from bad actors, though. End-to-end encryption protects your privacy against anything trying to mess with your messages while they're in transit, but it doesn't protect the video metadata and also can't do anything about the recipient of your message sharing whatever information you send them.

And, ultimately, even with end-to-end encryption, there are plenty of problems tied to having a video camera doorbell like Ring.

See original here:
Amazon's Ring video doorbells now have end-to-end encryption but they're still unsafe - Mashable

FOUNTAIN VALLEY, Calif.--(BUSINESS WIRE)--Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., a world leader in memory products and technology solutions, today announced the release of the Kingston IronKey Keypad 200 (KP200), the industrys first drive to deliver the latest FIPS 140-3 Level 3 security for your data.

The IronKey Keypad 200 is built with robust protection and flexibility of use in mind offering XTS-AES 256-bit hardware-based encryption in a feature-rich and OS-independent alphanumeric keypad. KP200 incorporates a built-in rechargeable battery, so users can unlock the drive using the keypad for easy-to-use PIN access, without using software. Once unlocked, users can access their data by plugging the drive into any device that supports USB Type-A Flash storage, making it a plug-and-play device across IT ecosystems.

KP200 is FIPS-140-3 Level 3 (Pending) certified for military-grade security, and the drives circuitry is coated with tamper-evident, tough epoxy to prevent access to its internal components without damaging them. For another level of protection, the keypad is coated with a protective polymer layer to prevent the analysis of fingerprints on the keys.

KP200 supports a multi-PIN option, allowing the use of separate Admin or User PINs. KP200 locks the User PIN after ten failed login attempts, but if both PINs are enabled the Admin can be used to restore a User PIN and access to the drive. If the Admin PIN itself is incorrectly entered ten times in a row, the built-in Brute Force attack protection will crypto-erase the drive, permanently destroying the data and resetting the device. Additionally, KP200 can safeguard against malware from untrusted systems with two different Read-Only modes, empowering Admin to write-protect the drive during a specific session or globally across all User sessions.

The Kingston IronKey KP200 is the first drive to successfully pass certification lab testing for the latest FIPS 140-3 Level 3 military-grade security level from NIST, said Richard Kanadjian, encrypted unit manager at Kingston. With no need for software and ease of use of the keypad, KP200 is the best solution for those looking for flexibility while maintaining the highest-level security for storing sensitive data on the go.

KP200 adds security enhancements for FIPS 140-3 Level 3:

- Minimum PIN length goes from 7 to 8 digits (max is 15) for stronger PIN security- No factory-preset PIN User must set up PIN upon first use- Periodic self-testing to ensure fully-functional security features KP200 will shut down if a problem is detected- Automatic shutdown under excessive thermal and voltage conditions- Enhanced Random Number Generator to strengthen encryption key generation

The Kingston IronKey Keypad 200 has available storage capacities ranging from 8GB - 128GB and is backed by a limited three-year warranty, with free technical support, and the legendary Kingston reliability. For more information, visit kingston.com.

Kingston IronKey Keypad 200

Part Number

Capacity

IKKP200/8GB

8GB IronKey Keypad 200

IKKP200/16GB

16GB IronKey Keypad 200

IKKP200/32GB

32GB IronKey Keypad 200

IKKP200/64GB

64GB IronKey Keypad 200

IKKP200/128GB

128GB IronKey Keypad 200

Kingston IronKey Keypad 200 Features and Specifications:

Kingston IronKey Keypad 200 incorporates DataLock Secured Technology licensed from ClevX, LLC. http://www.clevx.com/patents

1 Some of the listed capacity on a flash storage device is used for formatting and other functions and thus is not available for data storage. As such, the actual available capacity for data storage is less than what is listed on the products. For more information, go to Kingstons Flash Memory Guide.2 Speed may vary due to host hardware, software, and usage.3 Product must be clean and dry before use.4 Compatible systems.

About Kingston Technology Company, Inc.

From big data, to laptops and PCs, to IoT-based devices like smart and wearable technology, to design-in and contract manufacturing, Kingston helps deliver the solutions used to live, work and play. The worlds largest PC makers and cloud-hosting companies depend on Kingston for their manufacturing needs, and our passion fuels the technology the world uses every day. We strive beyond our products to see the bigger picture, to meet the needs of our customers and offer solutions that make a difference. To learn more about how Kingston Is With You, visit Kingston.com.

See the original post:
Kingston Announces Hardware-Encrypted IronKey Keypad 200 USB Drive - Business Wire

There are some excellent, well-tested virtual private networks we recommend you try. But if you're exploring the competitive market of VPNs on your own, you're likely to find some shoddy VPNs companies that scatter hints of their dubiousness everywhere they go. Learning to identify a few of these red flags can save you hours of research and a hefty annual subscription cost for supposedly getting connected to the internet more securely.

Is the price too good to be true? Has the company been caught keeping logs? How are your connection speeds?

To save you time, here are a few of the biggest red flags to watch out for when taking your new VPN out for a test drive. And on the flip side, here are three things to look for in a VPN.

Read more: Best iPhone VPN of 2022

There's no such thing as a free lunch. Maintaining the hardware and expertise needed for large VPN networks isn't cheap. As a VPN customer, you either pay for a premium service with your dollars, or you pay for free services with your usage data when it's collected by the free VPN and bargained away to advertisers or malicious actors.

As recently as August 2019, 90% of apps flagged as potentially unsafe in Top10VPN's investigation into free VPN ownership still posed a privacy risk to users. Free VPNs can also leave you open to quiet malware installation, pop-up ad barrages and brutally slow internet speeds.

Read more: Best Free VPN 2022: Try These Risk-Free Services for a Privacy Boost

If a VPN is caught keeping or sharing user activity logs, I won't recommend it. While most VPN services claim they don't track or keep logs of user activity, that claim can sometimes be impossible to verify. In other instances, the claim falls apart publicly when a VPN company hands over internet records to law enforcement.

The latter has happened in a few cases. EarthVPN, Hide My Ass VPN and PureVPN have all been clocked by privacy advocates for handing over logs to authorities, as hasIPVanish.

To be clear, it is entirely possible to be grateful for the arrest of reprehensible scumbags while ardently advocating for consumer privacy interests. My beef isn't with any VPN company helping cops catch a child abuser via usage logs; it's with any VPN company that lies to its customers about doing so. The lie that helps law enforcement in the US catch a legitimate criminal is the same lie that helps law enforcement in China arrest a person watching footage of the 1989 Tiananmen Square protests.

Ideally, the VPN you choose should have undergone -- and published the results of -- an independent third-party audit of its operations, including its use of activity logs.

Read more: All the VPN Terms You Need to Know

Now playing: Watch this: Top 5 Reasons to Use a VPN

2:42

Another red flag to watch for when choosing a VPN is shoddy encryption standards. Users should expect AES-256 encryption or better from VPN services. Nearly every web browser and app already uses AES, often touted as "military-grade" encryption, after it was adopted by the US government in 2002. If your VPN only offers PPTP and L2TP encryption, look elsewhere.

While you're snooping around for encryption details, keep an eye out for one of our favorite phrases, "Perfect Forward Secrecy." Those three little words can have a hefty impact on your privacy: If one of your VPN's servers is ever breached, Perfect Forward Secrecy ensures that any keys used to decrypt private internet traffic quickly become useless -- giving you more security.

Read more: How We Evaluate and Review VPNs

With just a little bit of elbow grease, any moderately skilled internet jerk can throw together a service that looks like a VPN but is actually little more than a proxy service reselling your internet bandwidth. Not only can that slow your internet speed, it could potentially leave you on the legal hook for whatever they do with that resold bandwidth.

Hola's case was the most famous. The company was caught in 2015 quietly stealing users' bandwidth and reselling it to whatever group wanted to deploy its user base as a botnet. Hola CEO Ofer Vilenski admitted it'd been had, but contended this harvesting of bandwidth was typical for this type of technology.

Read more:How to Set up a VPN on our iPhone or Android Phone: Yes, You Need One

"We assumed that by stating that Hola is a (peer-to-peer) network, it was clear that people were sharing their bandwidth with the community network in return for their free service," he wrote.

Nearly all VPNs slow your browsing speed, some by as much as half. But a brutal crawl can be a sign of something worse than a simple lack of servers. So if being pressed into service as part of a botnet isn't your cup of tea, double-check those suspiciously slow speeds and the reputation of the VPN you're paying for.

For more VPN buying advice, here's how to pick the right VPN for your work-from-home setup. Plus, why we don't recommend US-based VPNs, and three things a VPN can't help you with.

See the rest here:
Beware, That VPN May Not Be What You Think It Is - CNET

Added A New Report On Email Encryption Software Market That Provides A Comprehensive Review Of This Industry With Respect To The Driving Forces Influencing The Market Size. Comprising The Current And Future Trends Defining The Dynamics Of This Industry Vertical, This Report Also Incorporates The Regional Landscape Of Email Encryption Software Market In Tandem With Its Competitive Terrain.

Theresearch reporton the Email Encryption Software market includes crucial information on recent events that will havean impact on the industry dynamics between 2022 and 2026, thereby assisting stakeholders and investors in making informed decisions. Additionally, it offers a thorough examination of the major market divisions, looks at the problems that rival firms confront, and place particular emphasis on the regional context.

In essence, the study presents a thorough analysis of the regional and competitive environments, along with relevant driving forces. Lastly, the impact of COVID-19 outbreak on this marketplaceisextensively documented.

Request Sample Copy of this Report @ https://www.newsorigins.com/request-sample/61564

Important pointers from COVID-19 impact analysis:

Regional analysis overview

Other crucial aspects in the Email Encryption Software market report:

FAQs

Key insights this study will provide:

Request Customization for This Report @ https://www.newsorigins.com/request-for-customization/61564

View post:
Comprehensive Analysis on Email Encryption Software Market based on types and application - NewsOrigins

Constantine JohnnyGetty Images

To say we all text or at least know about texting is an understatement. Most of us use apps such as Apples iMessage for iPhone users or WhatsApp to send our messages. However, that doesnt mean the 1992-born classic SMS (short message service) is dead, even if Google wants it to be.

Dont miss our latest tech news. Learn more with usjoin Pop Mech Pro.

Cue up the RCS vs. SMS debate and Googles shaming of Apple, trying to persuade the digital giant to drop SMS altogether and join Android users in the RCS world. So whats the difference, you may ask. While we may all just see green and blue bubbles, theres more behind the scenes.

That 160-character limit, thats SMS. Debuting in 1992, SMS enabled mobile devices to do more than just talk. It introduced an entirely new world of communication with the text message. The limits of SMS are byproducts of its age, even with the early 2000s introduction of MMS (multimedia messaging service) that introduced the ability to send small files of multimedia (think low-resolution photos or video snippets). After all this time, you can point to many age-induced drawbacks of SMS: a limit on media types supported; no messaging with Wi-Fi since it relies on a cellular connection; and a frustrating mess of additional problems, such as difficulties with group chats, a lack of read receipts, and none of those fancy bouncing dots letting us know somebodys cooking up a new message.

Add the fact that SMS texts arent secure, and the billions of SMS messages sent every day in the U.S. alone causes concern about privacy more than features.

Because of the lack of encryption, hackers can search for weak points anywhere along the virtual path between the sender and receiver, which includes a ton of different network devices and computing systems at many different providersonly one of which needs to be exploited via technical vulnerability, misconfiguration, social engineering or insider attack, says Christopher Howell, CTO of Wickr.

Still, many of us send most of our messages in over the top applications such as WhatsApp, iMessage, WeChat and others, that use internet protocols rather than the cellular networks used by SMS to transmit messages. This adds a stiffer layer of encryption and security, but it also ups the ability to bring in feature-rich add-ons that make the messaging more modern, even if it requires the person youre messaging to be using the same service as you.

Call it a rich communication system. Or, RCS, for short. The GSM Association, a trade group representing mobile networks, spent more than a decade fine-tuning RCS before it made its official debut in 2016. Its an attempt to provide an app-like service for what was the SMS market. And Google has embraced it, saying that Android phones now running RCS can easily text as if they were in these feature-welcoming apps, sending high-resolution photos and videos, emoji reactions, end-to-end encryption (for individual, not group, conversations), read receipts, and more.

Google believes RCS solves the problems associated with SMS.

With its reliance on iMessage, Apple still offers SMS for texting features when you message outside of this app (i.e. when Apple users must resort to a green-bubble conversation with an Android user).

Google wants that to change, saying that Apple refusing to adopt the modern RCS standards is holding back the world of texting. In fact, Google has created an entire public relations campaignGet The Messagesurrounding that effort.

Everyone should be able to pick up their phone and have a secure, modern messaging experience, writes Elmar Weber, a Google engineer, as part of the campaign. Anyone who has a phone number should get that, and thats been lost a little bit because were still finding ourselves using outdated messaging systems.

Of course, Googles big push to persuade everyone else to adopt RCS is self-serving, since it has adopted RCS for its own Messages app. Apple has been either silent or non-committal on dropping SMS for RCS. Detractors of RCS say it may fix some issues, but doesnt solve them all. In fact, RCS comes with its own drawbacks, they say, such as the fact that end-to-end encryption only works in one-on-one conversations, and that RCS has a propensity for opening the doors to spam messages.

Add in Apples blue-bubble domination, and the company has no real incentive to play nicely outside of its own sphereand certainly not if it creates a more seamless transition away from an iPhone and into an Android device.

Of course, Apple isnt the only non-RCS giant out there. WhatsApp, basically the global leader in messaging apps outside of the United States, is non-RCS compliant. Google isnt going after them.

Benedict Evans, an independent technology analyst, wrote on Twitter that when a company that lost (and Google has lost messaging, but mostly to FB [Facebooks parent company Meta owns WhatsApp], not Apple) asks a company that won to adopt a standard that it doesnt look like anyone uses, one should probably be a little cynical.

See the article here:
What Is RCS Messaging and Why Is Google Pushing Apple To Use It? - Popular Mechanics

Blog

September 06, 2022

Computer data exists in different states at different times: data in transit (information flowing through a network); data in use (active data that is being accessed and manipulated by a computer program); and data-at-rest, known as DAR, or data that is physically housed in a storage device like a solid-state drive. Many cybersecurity solutions focus on securing data in transit and data in use, but neglect securing DAR.

President Bidens Executive Order on Improving the Nations Cybersecurity, enacted on May 12, 2021, directs all branches of the federal government to improve their resilience to cybersecurity threats. This order directly calls out the need to secure data-at-rest (DAR) with encryption and multi-factor authentication (MFA).

MFA requires a user to provide multiple pieces of evidence that combine to verify a users identity. Depending on the application, MFA may be required at login or perhaps when trying to access an application or even a particular folder or file. MFA combines two or more independent credentials: what the user knows (password, for example), what the user has (an authentication app, for example), and what the user is (biometric palm vein scan, for example). Since most MFA implementations use two factors, its often called two-factor authentication, or 2FA.

There are five important considerations when protecting your data with MFA.

1. Understand the sensitivity of your data:First, note that not all data is subject to the same levels of protection. In the U.S., since all federal departments are part of the executive branch, the data-classification system is governed by executive order rather than by law. As of 2009, information may currently be classified at one of three levels: confidential, secret, and top secret. Subsequent executive orders may change these classifications and the levels of protection associated with each classification.

2. Use self-encrypting drives:Sensitive data needs to be encrypted, executive orders notwithstanding. Self-encrypting drives (SEDs) encrypt data as its written to the drive, which has a self-contained drive encryption key (DEK). The key and encryption process are transparent to users.

SEDs encrypt everything on the drive, which is called full-disk encryption (FDE), including operating system (OS), applications, and data. On-drive encryption is called hardware FDE (HWFDE) and uses an embedded encryption engine (EE), which should provide 256-bit AES encryption.

An SED should adhere to the TCG Opal standard, a secure standard for managing encryption and decryption in the SED. SEDs are often certified to Federal Information Processing Standards (FIPS), developed by the National Institute of Standards and Technology (NIST). For example, a FIPS 140-2 L2 certification assures that the SEDs EE has been properly designed and secured; the L2 ensures that there is visible evidence of any attempt to physically tamper with the drive.

The National Information Assurance Partnership (NIAP) is responsible for the U.S. implementation of the Common Criteria (CC), an international standard (ISO/IEC 15408) for IT product security certification. CC is a framework that forms the basis for a government-driven certification scheme required by federal agencies and critical infrastructure.

3. Employ pre-boot authentication:A designated security officer or administrator will define the user roles and identity management used to authenticate access to the SED. The password security that forms part of an OS is notoriously weak and subject to hacking, so the first level of authorization acquisition (AA) should occur prior to the booting of the OS, in which case it is known as pre-boot authentication (PBA).

Each user should have an individually assigned password, which authorizes the SED to use its cryptographic key to unlock the data. The security officer should have the ability to add new users and revoke access to existing users. When a users access is revoked, that user wont even be able to boot the OS.

A more robust PBA implementation will include MFA.

4. Multi-factor authentication methods:In addition to a username/password, MFA requires another form of authentication. One approach is to use a security dongle, such as a YubiKey, containing a license key or some other cryptographic protection mechanism that the user plugs into a device USB port. The U.S. Department of Defense (DoD), including civilian employees and contractor personnel, uses a smartcard called the common access card (CAC), in which case the computer must be equipped with a physical card reader.

Other MFA methods include applications, often on smartphones, that provide a one-time code synced to the device or system asking for authentication. Also taking advantage of the ubiquity of smartphones is an SMS-based system that will include a one-time code in a text message.

5. Provide the ability to destroy the data:There are various scenarios in which it may be necessary to destroy any data stored on the SED. A benign case is when an organization decides to upgrade its computers and/or drives, transfer computers and/or drives within the organization, or dispose of or recycle the computers and/or drives outside the organization. A worst-case scenario is when an unauthorized entity gains control of the drive with the intent of accessing the data.

Using standard operating system-based delete functions to remove files and folders is not sufficient because experienced hackers can still retrieve some or all the data. SEDs that are used to store confidential data should support special hardware functions to perform secure erase (write zeroes into every area where data is stored on the drive) and crypto erase (wipe any cryptographic keys stored on the drive, thereby rendering any encrypted data stored on the drive unreadable and useless to a bad actor).

To address the worst-case scenario, the organizations designated security officer should have the ability to define erase procedures to be automatically initiated by the drive itself; for example, failing AA a specified number of times should cause the drive to self-erase.

In the case of a SED equipped with appropriate PBA, any data stored on the disk will essentially be invisible until AA has taken place, thereby preventing bad actors from cloning the drive to circumvent the restricted number of permitted attempts at AA.

To sum up

Some organizations mistakenly assume that employing MFA such as fingerprint scans or facial recognition after the OS has booted offers a high level of confidence. However, once the OS has booted, any data on its drives is exposed to sophisticated hackers or potentially nation-state bad actors.

The highest levels of confidence and security are achieved by using MFA as part of a PBA environment implemented using HWFDE realized on a FIPS + CC certified and validated SED. (Figure 1.)

[Figure 1|An example of a secure solid-state drive, part of the Citadel family of secure data storage. Photo courtesy CDSG.]

CDSG directorof marketing Chris Kruell leads the sphere of marketing activities, including corporate branding, corporate and marketing communications, product marketing, marketing programs, and marketing strategy. Chris previously was VPofmarketing at ERP-Link and hardware startup Lightfleet. He was a marketing director at Sun Microsystems andheldseveral marketing positions in the high-tech industry. Chris holds a BSdegree from Cornell University and an MA degree from Hamline University.

CDSG (CRU Data Security Group) https://cdsg.com/

Read more here:
GUEST BLOG: Five steps to take when securing your data with multi-factor authentication - Military Embedded Systems