The FBI Forced A Suspect To Unlock Amazon’s Encrypted App Wickr With Their Face – Forbes

A warrant allowed FBI agents in Tennessee to force a suspect to unlock his encrypted Amazon messaging app, Wickr, with his face. It's an unprecedented move by the feds.

In November last year, an undercover agent with the FBI was inside a group on Amazon-owned messaging app Wickr, with a name referencing young girls. The group was devoted to sharing child sexual abuse material (CSAM) within the protection of the encrypted app, which is also used by the U.S. government, journalists and activists for private communications. Encryption makes it almost impossible for law enforcement to intercept messages sent over Wickr, but this agent had found a way to infiltrate the chat, where they could start piecing together who was sharing the material.

As part of the investigation into the members of this Wickr group, the FBI used a previously unreported search warrant method to force one member to unlock the encrypted messaging app using his face. The FBI has previously forced users to unlock an iPhone with Face ID, but this search warrant, obtained by Forbes, represents the first known public record of a U.S. law enforcement agency getting a judges permission to unlock an encrypted messaging app with someones biometrics.

According to the warrant, the FBI first tracked down the suspect by sending a request for information, via an unnamed foreign law enforcement partner, to the cloud storage provider hosting the illegal images. That gave them the Gmail address the FBI said belonged to Christopher Terry, a 53-year-old Knoxville, Tennessee resident, who had prior convictions for possession of child exploitation material. It also provided IP addresses used to create the links to the CSAM. From there, investigators asked Google and Comcast via administrative subpoenas (data requests that dont have the same level of legal requirements as search warrants) for more identifying information that helped them track down Terry and raid his home.

When they apprehended Terry, the FBI obtained his unlocked phone as well. But there was a problem: His Wickr account was locked with Apples Face ID facial recognition security. By the time it was made known to the FBI that facial recognition was needed to access the locked application Wickr, Terry had asked for an attorney, the FBI noted in its warrant. Therefore, the United States seeks this additional search warrant seeking Terrys biometric facial recognition to complete the search of Terrys Apple iPhone 11.

Most courts are going to find they can force you to use your face to unlock your phone because it's not compelling you to speak or incriminate yourself...

After the FBI successfully forced Terry to use his face to unlock his Wickr account, Terry was charged in a criminal complaint with distribution and possession of CSAM, but has not yet offered a plea. His lawyer did not respond to a request for comment at the time of publication.

Amazons Wickr hadnt provided comment at time of publication. The FBI, Google and Comcast did not immediately respond to a request for comment.

Forcing people to unlock encrypted messaging with their biometrics is unprecedented and controversial. Thats because of an illogical quirk in U.S. law: Courts across the U.S. have not allowed investigators to compel people to hand over a passcode for phones or apps, but they have allowed them to repeatedly unlock phones using biometrics. Thats despite the obvious fact that the result is the same.

Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society in New York City, says this is because American law hasnt caught up with the technology. Passcodes, unlike biometric information, are legally considered testimonial, and citizens are not obliged to provide such testimony because the Fifth Amendment protects you from self-incrimination. But body parts are, by their nature, not as private as a persons thoughts, Greco notes.

Most courts are going to find they can force you to use your face to unlock your phone because it's not compelling you to speak or incriminate yourself... similar to fingerprints or DNA, Greco says.

But he believes there will soon be enough diverging case law for the Supreme Court to have to decide whether or not compelled facial recognition unlocks are lawful. We're trying to apply centuries-old constitutional law that no one could have envisioned would have been an issue when the laws were written, he says. I think the fight is coming.

There has been some pushback over such biometric unlocks from judges in some states. That includes two 2019 cases in California and Idaho, where the police wanted to force open phones inside properties relevant to the investigations. The judges in those cases declared biometric data was, in fact, testimonial, and law enforcement couldnt force the owners of those phones to use their faces to unlock them.

But last year, Forbes revealed the Justice Department was continuing to carry out such searches. It had also adopted new language in its warrants that said suspects have a legal right to decline to tell law enforcement whether its your face, your finger, or your eye that unlocks your phone. But even if you dont say what will unlock your phone, the DOJ said investigators could unlock your device by simply holding it up to your face or pressing your finger to it.

The search also comes after years of campaigning by the FBI to have tech giants provide more assistance in providing access to encrypted data. Since the 2015 San Bernardino terrorist attack, where the Justice Department demanded Apple open the shooters iPhone, that debate has intensified. The warrant, however, shows the government does have some techniques it can use to find criminals using the likes of Wickr and its encrypted data.

For now, Greco says the best way a person can protect themselves from such searches is to lock a device with a complex passcode rather than a face. Its possible to do the same with Wickr by disabling Touch ID or Face ID.

See more here:
The FBI Forced A Suspect To Unlock Amazon's Encrypted App Wickr With Their Face - Forbes

Why financial institutions cant bank on encryption – Global Banking And Finance Review

Simon Mullis, Chief Technology Officer at Venari Security

The past few years have seen a marked increase in geo-political tensions and emerging cyberattacks, keeping security teams on their toes. One of the most significant security threats however, is already hiding in plain sight remaining undetected within encrypted traffic. A major target for these attacks is the UKs Critical National Infrastructure (CNI), and defending against them should be an urgent priority for the finance industry.

The National Cyber Security Centres UK CNI comprise of 13 sectors the essential systems, processes, people and information needed for the countrys infrastructure. Importantly, the loss or compromise of each organisation could result in damaging and extensive impacts to the economy or to society. Although the first essential systems that come to mind may be power grids or water supplies, the finance sector also includes many organisations which provide essential services. Whether it be cash withdrawals and deposits, digital wire transfers, loan applications or investments, they are all relied on daily and must be treated in the same way. This results in a real responsibility for banks and financial institutions to ensure their systems are secure, with equally real consequences for failing to do so.

If attacks on CNI are only increasing, what does this mean for financial institutions, and more importantly, how can they ensure they are guarding against them? Lets consider the risks cyberattacks pose to CNI, as well as the actions the finance sector can take to protect its customers, their data, and financial assets.

The cybersecurity risks to CNI

One of the most recent high-profile CNI attacks that the finance industry must analyse and ensure is guarding against is the Colonial Pipeline ransomware incident, which took place in May 2021. The pipeline operator reported that a cyberattack had forced the company to temporarily shut down all business functions.

What is particularly significant about this attack is that it was simply an exposed username/password that allowed the attackers to gain access. Once in, their activity was end-to-end encrypted just like all the other traffic. Vast swathes of the US were affected with 45% of the East Coasts fuel operations halted as a result.

In this case, despite the organisation protecting its data with strong encryption standards, attackers were able to enter the network through a legitimate, encrypted path and thus rendered many of the counter measures ineffective. With the operators unaware of any anomalous activity on their networks, the intruders had all the time they needed to assess the system and get organised.

This presents a dilemma for CNI sectors, especially finance, where interactions and operations have to be encrypted.

Encryption is no longer enough

As happened in the Colonial Pipeline incident, the use of end-to-end encryption enabled attackers to conceal themselves in legitimate traffic. While critical to support data privacy and security in the event of breaches, end-to-end encryption renders many established means of detection ineffective.

Most defence methods still rely heavily on decryption and relatively rudimentary analysis to detect when traffic might be known-bad or deviating from expected patterns. The volume and speed of encrypted data now passing across networks means that it is impossible to detect everything with processes and techniques requiring this type of inspection.

And indeed, this is not a cutting-edge approach by cybercriminals. In the first three quarters of 2021 alone, threats over encrypted channels increased by 314% on the previous year. If organisations continue to use the same inadequate detection techniques to uncover malicious activity on their network, the rate of attacks using encrypted traffic will continue to grow at this rate or higher.

The security industry has long understood that breaches are not if, but when scenarios. And the current global climate, sparking a rise in nation-state attacks, undoubtedly increases the threat level further for CNI and especially for sensitive sectors such as finance.

Going beyond decryption to gain visibility

Financial institutions must strike a careful balance when it comes to security. On the one hand, it is vital they gain back visibility of their networks that end-to-end encryption might be at risk of concealing; on the other, its a necessity that they maintain a level of encryption in the first place.

Decryption is a too cumbersome and time-consuming approach now that our entire networks are encrypted both data-at-rest and in motion and organisations can only hope to keep up if they monitor for aberrant behaviour and malicious activity in their traffic without having to rely on decryption.

The solution? Security teams need to look towards using behavioural analytics to detect what is happening within encrypted traffic flows. A combination of machine learning and artificial intelligence, behavioural analytics can analyse encrypted traffic in near real-time without decryption. By accurately understanding the abnormalities between normal and anomalous behaviour, it significantly increases the rate and speed at which malicious activity concealed in encrypted traffic can be detected, whilst ensuring data remains private.

Security teams can then react immediately to contain the threats it identifies rather than responding after the fact, when banks might only realise that an attack has taken place after a customer has experienced a breach.

Not a threat, but a reality

As the geo-political landscape becomes more treacherous, and society, even more interconnected, critical infrastructure attacks will only increase, with financial services a major target.

Security teams can no longer bury their head in the sand, as these attacks may not be a looming threat, but an existing issue, hidden by the very encryption theyve relied on. Acting now is key, otherwise the risks posed by an attacker will only increase.

View post:
Why financial institutions cant bank on encryption - Global Banking And Finance Review

What is Azure VPN, and how does it work? – TechRadar

Microsofts Azure VPN (opens in new tab) offers two kinds of products: Point-to-Site (P2S) and Site-to-Site (S2S). Site-to-Site VPN is a form of cloud VPN, while Point-to-Site is an example of remote VPN. For a refresher on the two product types, you can read our comparison piece,.

Azure VPN will encrypt your corporate network communications with military grade AES-256-bit encryption, regardless of which product you choose. This level of security ensures that your sensitive corporate data remains safe while in transit between networks, or to and from remote workers PCs.

This article will discuss the appropriate use cases for each Azure product, describe their unique features, and explain pricing and customer support options.

If you've ever worked from home in an office setting, you probably used Point-to-Site VPN. P2S VPN encrypts communication between remote workers' devices and your corporate server by creating a secure communication corridor called a tunnel.

Tunnels encrypt information at one end, then decrypt it at the destination. This allows remote workers to safely access business apps and sensitive customer information from home. P2S VPN tunnels are temporary, and can open or close as required, when employees log on and off from the corporate network.

Site-to-Site VPN works quite differently. It also creates a tunnel, but the tunnel is always active and optimized for large volumes of data. These permanent tunnels can send large volumes of encrypted information back and forth between two or more corporate networks. An example of two sites that need to communicate this way could be a head office in New York communicating with a satellite branch in LA, or two corporate head offices in Europe and Asia exchanging information.

Which of these products makes sense for you will depend on your business needs. A group of geographically remote research sites with a central database and only in-office staff may need a Site-to-Site VPN. In contrast, a small business with just one location but several remote workers may opt for Point-to-Site. You will need both if you run a large enterprise with remote staff and multiple branch offices.

When selecting a corporate VPN, there are many options for both Site-to-Site and Point-to-Site solutions. For instance, in addition to Azure, Perimeter 81 (opens in new tab) and Amazon AWS VPN (opens in new tab) offer both product types. You can read our Perimeter 81 Business VPN Alternative Review (opens in new tab) and What is AWS VPN (opens in new tab) articles for more information on these two providers.

Azure VPNs products have many advantages over the competition. Firstly, Azure doesnt charge upfront for the use of its VPN gateways. S2S and P2S VPNs use a VPN gateway to encrypt and decrypt communications. Some gateways can handle Site-to-Site connections, while others are designed for Point-to-Site. How many connections a gateway can handle and what type varies by provider.

Many VPN providers charge a flat fee per VPN gateway, and an additional per-hour cost based on usage. Azure charges are purely by the hour. Additionally, Azures gateways can handle P2S and S2S connections, offering even more flexibility.

Azures pricing is per hour and based on the size of the VPN gateway you need. Gateways can create Site-to-Site and Point-to-Site tunnels.

For P2S connections, remember that the number of tunnels can fluctuate throughout the day, as various devices connect and disconnect. Be sure to buy a big enough gateway to handle your traffic at peak time. Otherwise, employees may have trouble logging in during the busiest time of the day.

Consult the chart below for an overview of Azures pricing. Note that although prices are shown by the hour, Azures billing is monthly, billed on the day of the month that you activated your account.

As you can see, pricing varies considerably based on the number of connections you need, and the amount of data going through your system at any given moment. Pay attention to your bandwidth needs, the number of remote employees you have, and the number of Site-to-Site connections you have to establish.

Azures Basic customer support package, included for all customers, provides access to the self-service knowledge base and support ticket system. There are no guarantees for response time on support tickets on the Basic tier, and Basic support customers are last in line behind all paying support plan holders.

Limited free support is normal for cloud VPN providers, and Azure stands out by simply having a free support option that isnt entirely self-service. Paid plans start at $29/month for trial and non-production environments, and go up to $1000/month for one-hour critical case response time, plus a dedicated consultant.

Azure offers two powerful cloud-based VPN solutions for Site-to-Site and Point-to-Site VPN. Its scalable pricing, with no upfront fees for gateways, and 99% uptime on P2S systems, allows for an impressive degree of flexibility when building a P2S, S2S, or hybrid solution.

Azures customer support options are limited and expensive, but this is normal for a cloud VPN provider. If you need encrypted access for remote employees, or want to securely connect a set of remote networks together, Microsoft Azure VPN is a robust option.

To learn more about business VPNs, see our picks for best business VPN (opens in new tab), and read our choices for the best VPN service (opens in new tab) providers overall.

TechRadar created this content as part of a paid partnership with Perimeter 81. The contents of this article are entirely independent and solely reflect the editorial opinion of TechRadar.

Read more here:
What is Azure VPN, and how does it work? - TechRadar

Types Of Data Security Compliance And Why They’re Important – Information Security Buzz

Every business has data that they need to protect against any breach or hacking attempt. The types of data todays businesses store are sensitive customer information, financial data, and confidential agreements or trade secrets. In order to protect this data, businesses are making sure that their internet-facing assets are secured and follow certain data security regulations and compliance. These regulations are known as data security compliance standards.

There are many different types of data security compliance standards, but each one is important in protecting your businesss sensitive information. This blog post will discuss why data security compliance is important and what are the different types of compliance standards for global organizations that rely on the internet.

What is Data Security?

Data security is a subset of cybersecurity. It is implemented to protect any electronic information (in rest or in transit) against any unauthorized access.

This can include physical security, which protects against theft of equipment and data, as well as logical security, which protects against hacking and other cyber attacks. Data security is important for businesses of all sizes, as it can help to prevent data breaches that could lead to identity theft, financial loss, and reputational damage.

What is a Security Compliance?

Security compliance is a set of guidelines that businesses must follow in order to ensure the safety of their data. These guidelines are put in place by some reputed governments and other standardized organizations. These organizations can include standards for how data is collected, stored, and transmitted, as well as requirements for employee training and security measures.

Who Needs Security Compliance?

Why is Compliance Important for businesses?

Compliance with data security regulations is important for businesses because it helps to protect their sensitive information from unauthorized access. By following the guidelines set forth in these compliance standards, businesses can help to prevent data breaches that could lead to identity theft, financial loss, and reputational damage. Additionally, compliance can also help businesses to avoid fines and other penalties that may be imposed if they fail to meet these standards. Read our guide on top 5 business benefits of cybersecurity compliance to know more.

What Are the Risks of Non-Compliance?

There are many risks associated with non-compliance, including:

Fines and penalties: Perhaps the most well-known risk of non-compliance is the possibility of being fined or penalized by the government or other regulatory bodies.

Loss of customers: Another risk of non-compliance is the loss of customers. This can happen if customers lose trust in your business due to a data breach or other security incident.

Damage to reputation: Non-compliance can also damage your businesss reputation, which can make it difficult to attract new customers and partners.

These are just some of the risks associated with non-compliance.

Different Types of Data Security Compliance

1. PCI-DSS

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of guidelines for businesses that do financial transactions on their platform or accept credit card payments. These guidelines cover topics such as data storage, encryption, and access control. PCI-DSS compliance is important for businesses because it helps to protect customer credit card information from being stolen.

2. HIPAA

The Health Insurance Portability and Accountability Act is a set of guidelines for businesses that handle protected health information. These guidelines cover topics such as data storage, encryption, and access control. HIPAA compliance is important for businesses because it helps to protect patient privacy and prevent medical identity theft.

3. SOC

The AICPAs System and Organization Controls is a set of guidelines for businesses that want to demonstrate their commitment to data security. These guidelines cover topics such as data storage, encryption, and access control. SOC compliance is important for businesses because it helps to build trust with customers and partners.

4. ISO 27001

The International Organization for Standardizations ISO 27001 is a set of guidelines for businesses that want to implement information security controls to secure themselves. These guidelines cover topics such as data storage, encryption, and access control. ISO 27001 compliance is important for businesses to meet certain recognizable standards in the industry they belong to (for example, IT security, cloud security or SaaS platforms). This compliance makes sure the compiled entity is secured against any unauthorized access.

5. GDPR

The General Data Protection Regulation (GDPR) is a set of guidelines for businesses that collect, store or process personal data on their websites and ecommerce stores. GDPR is mandatory for all companies that have customers from European Union (EU) countries. GDPR guidelines cover topics such as data storage, encryption, and access control. GDPR compliance is important for businesses because it helps to protect the privacy of EU citizens.

Each of these compliance standards is important in its own way and can help to protect your business from different types of risks. By understanding the different types of compliance standards and what they entail, you can make sure that your business is taking the necessary steps to protect its sensitive information.

How Can My Business Comply with Data Security Standards?

Implementing the above steps can help your business to comply with the different types of data security compliance standards. By doing so, you can help to protect your business from the risks associated with non-compliance.

Conclusion

We see the news on data breaches happening every day and it is not stopping. By implementing compliance and security standards, businesses can improve their data security posture and protect their customers information against a data breach. To implement a strong cybersecurity infrastructure, compliance and security standards are a good place to start, but businesses should also consider using other methods such as encryption and penetration testing to further secure their data.

Read this article:
Types Of Data Security Compliance And Why They're Important - Information Security Buzz

Facebook has started to encrypt links to counter privacy-improving URL Stripping – Ghacks

Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking.

Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

Both web browsers use lists of known tracking parameters for the functionality. The lists need to be updated whenever sites change tracking parameters.

Facebook could have changed the scheme that it is using, but this would have given Facebook only temporary recourse. It appears that Facebook is using encryption now to track users.

Previously, Facebook used the parameter fbclid for tracking purposes. Now, it uses URLs such as https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__%5B0%5D=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-Rinstead.

The main issue here is that there it is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address. Removing the entire construct after the ? would open the main Facebook page of Ghacks Technology News, but it won't open the linked post.

Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

There is no option currently to prevent Facebook's tracking of users via links. Users could avoid Facebook, but that may not be possible all the time. URL tracking does not help much if other tracking means, e.g., through cookies or site data, are not available. While Facebook gets some information from URL-based tracking, it can't link it if no persistent data is available.

Users who don't sign into Facebook and clear cookies and site data regularly, may avoid most of the company's tracking.

Now You: what is your take on this development? Beginning of a cat and mouse game, or game over for privacy already? (thanks N.J.)

Summary

Article Name

Facebook has started to encrypt links to counter privacy-improving URL Stripping

Description

Facebook has started to use a different URL scheme for site links to combat URL stripping technologies that browsers use to improve privacy and prevent user tracking.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

Originally posted here:
Facebook has started to encrypt links to counter privacy-improving URL Stripping - Ghacks

What is a Double VPN and why you should use one – Laptop Mag

Over the past few years, increasing concerns surrounding our internet safety have given way to a huge surge in VPN popularity. Today, VPNs can come in many different forms. While traditional VPNs are most well-known, double VPNs are now also available on a number of different providers. But what exactly is a double VPN, and how can it protect you online?

If youre using a typical VPN provider, such as ExpressVPN, SurfShark, or ProtonVPN, youre likely having your internet data sent through and encrypted via one server. This means that your data is going through one layer of encryption only.

While this can still provide you with a high level of online security, it can be improved upon through the use of a double VPN.

As the name suggests, a double VPN provides users with an extra layer of security by using two servers instead of one. So, when you connect to the internet via a double VPN, your data is being encrypted twice. Though this involves two servers, it isnt the same as using two VPNs simultaneously. Double VPNs link two servers from the same provider, whereas youd have to link two separate providers if you wanted to use two VPNs at the same time.

This creates a pocket of safety for your data, as it will be encrypted on both ends of the channel, meaning a cybercriminal will have a very hard time accessing any data that is yet to be encrypted. This process is also known as VPN server chaining, or cascade configuration, and can be a highly effective security measure.

However, two encryption layers arent always present in a double VPN. While a number of VPN providers offer two layers with their double VPN feature, others do not (though your data will still be sent through two servers in such cases). But in any case, a double VPN is designed to heighten your security when online.

However, double VPNs do come with one major disadvantage.

If a double VPN can provide you with such a high level of protection online, using it is a no-brainer, right?

Well, not quite. Though double VPNs can keep your data supersafe, they come with one significant downside: poorer connection speeds.

If you already use a regular VPN, you may have noticed that your upload or download speed decreases when it is active. Because your data is being sent and encrypted through a remote server when you use a VPN, youll often have to wait a little longer to connect. You may notice that web pages take longer to load, or that youre experiencing more buffering than usual when streaming.

Unfortunately, this is just how VPNs work, but the problem can be worsened further through the use of a double VPN. This is because your data is going through two servers instead of one, which takes even more time. If your connection speeds are already pretty sub-par without the use of a VPN, using a double VPN can cause a lot of issues, and may make your online experience very frustrating.

But this doesnt mean that you have to sacrifice your online security for better connection speeds. Double VPNs are more suited to those who require a very high level of online security for specific reasons. For example, you may be a journalist trying to protect your sources, or an individual in a country that has strict internet laws.

Because double VPNs can be so detrimental to your internet speed, you should really only use one if its an absolute necessity. Of course, anyone who uses a provider with a double VPN feature can use one, but this may prove to be more of a frustration than a joy if your speeds are hit that badly.

However, if you still feel a double VPN could be useful for you, there are many providers out there who offer this feature, including:

Its worth noting that, when you use a double VPN, you likely wont have the same number of servers to choose from. So, if you have a favorite VPN server that you often connect to, you may find that it is unavailable when your double VPN feature is active.

If youre in a position where you require ultra-high levels of security when browsing the web, a double VPN might be a useful addition to your regular VPN connection. This will allow you to circumvent tracking entirely and add an extra layer of encryption to your precious internet data.

Follow this link:
What is a Double VPN and why you should use one - Laptop Mag

Researcher develops Hive ransomware decryption tool – TechTarget

A malware researcher known as "reecDeep" has developed and published a decryption tool on GitHub for the latest version of Hive ransomware.

Published Tuesday, the tool specifically decrypts the version 5 variant of Hive ransomware. Hive was originally written in programming language Go, but more recently the ransomware authors switched to Rust, a language that has overall superior encryption technology and is harder to reverse engineer.

Hive is a ransomware-as-a-service operation that was first discovered last summer. It immediately hit the ground running, claiming hundreds of victims in its first six months. Last year, the ransomware was responsible for compromising European retailer MediaMarkt and allegedly included a demand of $240 million. Earlier this year, Hive claimed an attack against Medicaid provider Partnership HealthPlan of California.

According to the decryption tool's GitHub page, reecDeep developed the tool with a fellow anonymous malware researcher known as "rivitna." The post includes technical details of how Hive v5 works as well as how the researchers developed their brute-force decryption tool.

"I had the pleasure of collaborating with a great malware analyst and reverse engineer @rivitna who in the past has analyzed previous versions of Hive and published code and PoCs regarding their encryption mechanisms," reecDeep wrote in the GitHub post. "He has contributed (not a little) to identify the components involved in the encryption operations of Hive v5, which being written in Rust has become more difficult to analyze."

Asked about compatibility between the decryptor and various v5 updates, reecDeep told SearchSecurity over Twitter direct message that while he hasn't fully confirmed, "as far as I know, minor updates from major version 5, (so 5.1, 5.2 and so on) don't have any improvements on encryption algorithms."

ReecDeep also said v5 "has nothing to do with previous Hive 1-4 versions," which were written in the Go programming language.

Earlier this month, the Microsoft Threat Intelligence Center published a blog post detailing Hive's recent evolution. The post described Hive as "one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem."

"The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method," the post read. "The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237."

The tech giant recommended that organizations search for known Hive indicators of compromise to assess whether an intrusion has occurred.

Decryption tools like reecDeep's have become increasingly common over the years. For example, security vendor Emsisoft maintains a list of more than 80 free ransomware decryptors, including strains like DeadBolt and SunCrypt.

RaaS operators like Hive have likewise become more prevalent and are one of the key defining aspects of ransomware in 2022, alongside stricter cyber insurance policies and emerging extortion tactics.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Read more here:
Researcher develops Hive ransomware decryption tool - TechTarget

Google’s BigQuery Introduces Column-Level Encryption Functions and Dynamic Masking of Information – InfoQ.com

Google recently released new features for its SaaS data warehouse BigQuery which include column level encryption functions and dynamic masking of information. These features add a second layer of defense on top of access control to help secure and manage sensitive data.

Specifically, dynamic masking of information can be used for real-time transactions whereas column level encryption provides additional security for data at rest or in motion where real-time usability is not required.

These new features could be useful for companies that store personally identifiable information (PII) and other sensitive data such as credit-card data and biometric information. Companies that store and analyze data in countries where data regulation and privacy mandates are evolving, face ongoing risks from data breaches and data leakage and need to control data access, and these companies may also benefit from the new features.

Column-level encryption enables the encryption and decryption of information at column level, which means that the administrator can select which column is encrypted and which is not. It supports the AES-GCM (non-deterministic) and AES-SIV (deterministic) encryption algorithms. Functions support AES-SIV to allow for grouping, aggregation, and joins on encrypted data. This new feature enables some new use cases: when data is natively encrypted in BigQuery and must be decrypted when accessed, or where data is externally encrypted, stored in BigQuery, and must then be decrypted when accessed.

Column-level encryption is integrated with Cloud Key Management System (Cloud KMS) to provide the administrator more control, to allow management of the encryption keys in KMS, and to enable on-access secure key retrieval as well as detailed logging. Cloud KMS can be used to generate the KEK (key encryption key) that encrypts the DEK (data encryption key) that encrypts the data in BigQuery columns. Cloud KMS uses IAM (identity and access management) to define roles and permissions. KEK is a symmetric encryption keyset that is stored in Cloud KMS, and referencing an encrypted keyset in BigQuery reduces the risk of key exposure.

The BigQuery documentation explains:

At query execution time, you provide the Cloud KMS resource path of the KEK and the ciphertext from the wrapped DEK. BigQuery calls Cloud KMS to unwrap the DEK, and then uses that key to decrypt the data in your query. The unwrapped version of the DEK is only stored in memory for the duration of the query, and then destroyed.

In one example of a use case, the ZIP code is the data to be encrypted and a non-deterministic functions decrypt data when it is accessed by using the function in the query that is being run on the table.

From BigQuery documentation

In a second example, the AEAD deterministic function can decrypt data when it is accessed by using the function in the query that is being run on the table and supports aggregation and joins using the encrypted data.

From BigQuery documentation

In this way even a user who is not allowed to access the encrypted data can perform a join.

Before the release of column level encryption feature, the administrators need to make copies of the datasets with data obfuscated in order to manage the right accesses to groups. This creates an inconsistent approach to protecting data, which can be expensive to manage. Column level encryption increases the security level because each column can have its own encryption key instead of a single key for the entire database. Using column level encryption allows faster data access because theres less encryption data.

Dynamic masking of information, released in preview, allows more control to administrators who can choose, combined with the column-level access control, to grant full access, no access to data or masked data extending the column-level security. This capability selectively masks column-level data at query time based on the defined masking rules, user roles and privileges. This feature allows the administrators to obfuscate sensitive data and control user access while mitigating the risk of data leakage.

Thanks to this new feature, sharing data is easier, because the administrators can hide information selectively and the tables can be shared with large groups of users. At application level, the developers dont need to modify the query to hide sensitive data, after the data masking is configured at BigQuery level, the existing query automatically hides the data based on the roles the user is granted. Last but not least, the application of security is more easy, because the administrator can write the security rule once and then apply it to any number of columns with tags.

Any masking policies or encryption applied on the base tables are carried over to authorized views and materialized views, and masking or encryption is compatible with other security features such as row-level security.

Both new features can be used to increase security, manage access control, comply with privacy law, and create safe test environments. Allow a more consistent way to manage tables with sensitive data, the administrators dont need to create multiple datasets with encrypted (or not) data and share these copies with right users.

Read the original post:
Google's BigQuery Introduces Column-Level Encryption Functions and Dynamic Masking of Information - InfoQ.com

The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare – Ars Technica

Enlarge / Conceptual computer artwork of electronic circuitry with blue and red light passing through it, representing how data may be controlled and stored in a quantum computer.

Getty Images

In the not-too-distant futureas little as a decade, perhaps, nobody knows exactly how longthe cryptography protecting your bank transactions, chat messages, and medical records from prying eyes is going to break spectacularly with the advent of quantum computing. On Tuesday, a US government agency named four replacement encryption schemes to head off this cryptopocalypse.

Some of the most widely used public-key encryption systemsincluding those using the RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman algorithmsrely on mathematics to protect sensitive data. These mathematical problems include (1) factoring a key's large composite number (usually denoted as N) to derive its two factors (usually denoted as P and Q) and (2) computing the discrete logarithm that key is based on.

The security of these cryptosystems depends entirely on how difficult it is for classical computers to solve these problems. While it's easy to generate keys that can encrypt and decrypt data at will, it's impossible from a practical standpoint for an adversary to calculate the numbers that make them work.

The researchers estimated that the sum of the computation time for both of the new records was about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1 GHz). Like previous records, these were accomplished using a complex algorithm called the Number Field Sieve, which can be used to perform both integer factoring and finite field discrete logarithms.

Quantum computing is still in the experimental phase, but the results have already made it clear it can solve the same mathematical problems instantaneously. Increasing the size of the keys won't help, either, since Shor's algorithm, a quantum-computing technique developed in 1994 by American mathematician Peter Shor, works orders of magnitude faster in solving integer factorization and discrete logarithmic problems.

Researchers have known for decades these algorithms are vulnerable and have been cautioning the world to prepare for the day when all data that has been encrypted using them can be unscrambled. Chief among the proponents is the US Department of Commerce's National Institute of Standards and Technology (NIST), which is leading a drive for post-quantum cryptography (PQC).

On Tuesday, NIST said it selected four candidate PQC algorithms to replace those that are expected to be felled by quantum computing. They are: CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

CRYSTALS-Kyber and CRYSTALS-Dilithium are likely to be the two most widely used replacements. CRYSTALS-Kyber is used for establishing digital keys that two computers that have never interacted with each other can use to encrypt data. The remaining three, meanwhile, are used for digitally signing encrypted data to establish who sent it.

"CRYSTALS-Kyber (key-establishment) and CRYSTALS-Dilithium (digital signatures) were both selected for their strong security and excellent performance, and NIST expects them to work well in most applications," NIST officials wrote. "FALCON will also be standardized by NIST since there may be use cases for which CRYSTALS-Dilithium signatures are too large. SPHINCS+ will also be standardized to avoid relying only on the security of lattices for signatures. NIST asks for public feedback on a version of SPHINCS+ with a lower number of maximum signatures."

The selections announced today are likely to have significant influence going forward.

"The NIST choices certainly matter because many large companies have to comply with the NIST standards even if their own chief cryptographers don't agree with their choices," said Graham Steel, CEO of Cryptosense, a company that makes cryptography management software. "But having said that, I personally believe their choices are based on sound reasoning, given what we know right now about the security of these different mathematical problems, and the trade-off with performance."

Nadia Heninger, an associate professor of computer science and engineering at the University of California, San Diego, agreed.

"The algorithms NIST chooses will be the de facto international standard, barring any unexpected last-minute developments," she wrote in an email. "A lot of companies have been waiting with bated breath for these choices to be announced so they can implement them ASAP."

While no one knows exactly when quantum computers will be available, there is considerable urgency in moving to PQC as soon as possible. Many researchers say it's likely that criminals and nation-state spies are recording massive amounts of encrypted communications and stockpiling them for the day they can be decrypted.

Read more:
The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare - Ars Technica

Tech world may face huge fines if it doesn’t scrub CSAM from encrypted chats – The Register

Tech companies could be fined $25 million (18 million) or ten percent of their global annual revenue if they don't build suitable mechanisms to scan for child sex abuse material (CSAM) in end-to-end encrypted messages and an amended UK law is passed.

The proposed update to the Online Safety bill [PDF], currently working its way through Parliament, states that British and foreign providers of a "regulated user-to-user service" must report any shared child sexual exploitation and abuse (CSEA) content to the country's National Crime Agency. The amendment to the legislation makes it clear that companies must develop software capable of peering into messages, even end-to-end encrypted chatter, to actively detect and report CSEA material to the authorities or face sanctions.

Truly secure end-to-end encrypted messages can only be read by those participating in the conversation, not network eavesdroppers nor the app's makers. However, it is possible for chat software developers to add a filter, potentially on each device, that automatically scans for certain illegal material before it's encrypted and sent or after it's received and decrypted.

How well that computer-vision process would work in practice, and whether the false positive rate causes people's private and lawful chatter to be beamed to the government, remains to be seen. Netizens may also not trust that just CSEA content is being reported.

Alternatively, an app maker could engineer their service and code to intercept and inspect the messages as they whiz between a conversation's participants, but that would undermine the whole end-to-end nature. And stuff that isn't end-to-end encrypted can be monitored as the app or service provider chooses.

However which way it's implemented, the British Conservative government, or what's left of it after a ministerial revolt against Prime Minister Boris Johnson, wants communications, encrypted or not, to be screened for CSEA material, and has positioned its Online Safety bill to that effect.

"Things like end-to-end encryption significantly reduce the ability for platforms to detect child sexual abuse," the UK's Home Secretary Priti Patel well, Home Secretary at time of writing on Wednesday argued earlier in the day. "The Online Safety Bill sets a clear legal duty to prevent, identify, and remove child sexual abuse content, irrespective of the technologies they use. Nobody can sensibly deny that this is a moral imperative."

If the legislation is passed by Parliament, Ofcom the UK's communications watchdog will have the power to force tech companies to pay penalties if this inspection system isn't implemented. "The onus is on tech companies to develop or source technology to mitigate the risks, regardless of their design choices. If they fail to do so, Ofcom will be able to impose fines of up to 18 million or [ten percent] of the company's global annual turnover depending on which is higher," Patel warned.

"We do not want to censor anyone or restrict free speech, but we must do more to combat these foul, hugely destructive crimes," she added.

Building in automatic detection of CSEA content is controversial. Engineers, legal experts, and activists have highlighted the risks of developing such capabilities. It may torpedo users' privacy, and potentially gives government officials a foot in the door to monitoring people's conversations. For instance, these filters, once implemented, could be expanded beyond child abuse.

Patel, however, believes changes to encryption systems to support this scanning can still preserve users' privacy while combating CSEA: "The UK government wholeheartedly supports the responsible use of encryption technologies We, and other child safety and tech experts, believe that it is possible to implement end-to-end encryption in a way that preserves users' right to privacy, while ensuring children remain safe online."

"If end-to-end encryption is implemented without the relevant safety mitigations in place, this will become much harder. It will significantly reduce tech companies' and law enforcement's ability to detect child sexual abuse happening online. This is obviously unacceptable," she said.

Last year, Apple quietly paused plans to scan for CSAM on iPhones. Apple's detection scheme was heavily criticized by academics and advocacy groups.

"Once this capability is built into Apple products, the company and its competitors will face enormous pressure and potentially legal requirements from governments around the world to scan photos not just for CSAM, but also for other images a government finds objectionable," declared a letter signed by more than 90 human-rights groups.

The Online Safety bill also attempts to tackle disinformation by getting social networks to filter out state-made interference, and reduce the distribution of stolen information for the purposes of undermining democracy.

The likes of YouTube may also be banned from removing news content until publishers and outlets have had a chance to appeal.

Read the original post:
Tech world may face huge fines if it doesn't scrub CSAM from encrypted chats - The Register