A largely unreported iOS security flaw undermined iCloud's end-to-end encryption capability, and could have allowed attackers to steal passwords, credit cards, and any other information on file, according to security firm Longterm Security.

iCloud Keychain enables users to store passwords and credit card numbers across all of their devices, while iCloud Keychain Sync allows users to share this information securely between devices. The security flaw was found in iCloud Keychain Sync's custom Off-The-Record (OTR) implementation, Longterm Security co-founder Alex Radocea wrote in a blog post.

"The bug we found is exactly the kind of bug law enforcement or intelligence would look for in an end-to-end encryption system," Radocea told ZDNet.

The flaw was addressed in the iOS 10.3 updatedemonstrating again why it's important to stay on top of updating your device.

SEE: Learn Website Hacking and Penetration Testing From Scratch (TechRepublic Academy)

iCloud Keychain's OTR encryption protocol uses key verification to protect a user's devices by ensuring information can pass securely between multiple devices. Radocea was able to bypass the signature verification process via a man-in-the-middle attack. He was also able to intercept traffic from devices, and modify OTR packets in transit to deliberately get an invalid signature, ZDNet reported. After this, he was able to get a device approved.

"We could see everything [in the Keychain] in plain-text," Radocea told ZDNet. Making matters more dangerous, "it's completely silent to users," he said. "They wouldn't have seen a device being added."

Weak, reused, and leaked passwords are a primary method of entry for cybercriminals, Radocea wrote in the blog post, making password hygiene critical for enterprise users. In 2016 alone, more than 500 million credentials surfaced publicly from mass-hack password dumps, combined with poor password storage practices, he added.

"Due to the risk of future mass dumps, passwords alone are just no longer a strong defense mechanism for sensitive data," Radocea wrote. "It is a very good idea for organizations to further harden access to any important personal information."

Current best practices include multi-factor authentication and end-to-end encryption, such as OTR, Radocea wrote.

Longterm Security will present more information on the issue in a session at Black Hat on Wednesday.

Image: iStockphoto/Wachiwit

1. A security flaw undermined iCloud's end-to-end encryption capability, and could have allowed criminals to steal passwords and credit cards, according to Longterm Security.

2. The flaw was addressed in the iOS 10.3 update, so users should update if they haven't done so.

3. Enterprises shouldn't rely on passwords alone to protect sensitive data, and should use multi-factor authentication and end-to-end encryption.

Continued here:
iCloud Keychain encryption bug exposes iOS passwords, credit card numbers - TechRepublic

The Australian Government is proposing to introduce legislation this year to impose an obligation on communications and technology companies to assist law enforcement agencies to access encrypted messages, in the event that voluntary cooperation is not provided by those companies.

Background

The Australian Government has taken a strong stand in relation to the need for law enforcement agencies to access encrypted messages, sent over systems such as WhatsApp, Viber and Telegram. This has been evidenced by the positions taken by the Government on the international stage, including the recent Five Eyes and G20 meetings.

Five Eyes: A voluntary solution?

At the 26 June 2017 Five-Eyes intelligence talks in Ottawa a hot topic was how to seek cooperation from internet service providers (ISPs) and device makers to access encrypted messages sent using the systems of those ISPs. The governments of all of the Five-Eyes members (the United States, the United Kingdom, Canada, Australia and New Zealand) argued that the inability of law enforcement agencies to access encrypted messages significantly impedes the investigation of serious crimes, particularly terror related offences, and therefore undermines public safety.

The joint communique issued by the five governments following the Ottawa meeting stated that:

encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism. To address these issues, we committed to develop our engagement with communications and technology companies to explore shared solutions while upholding cybersecurity and individual rights and freedoms.

Australias positon at the G20

The Australian Prime Minister continued to push this theme, including the need for international cooperation, at the G20 meeting held in Hamburg in early July 2017. The G20 leaders statement on countering terrorism, issued in Hamburg, supported the need for access to be obtained to encrypted messages. That statement provided in part that the G20 leaders encourage collaboration with industry to provide lawful and non-arbitrary access to available information where access is necessary for the protection of national security against terrorist threats.

The way forward: Following the UK

The Attorney-General has acknowledged that Australia already has regulation, included in the Telecommunications Act 1997 (Cth) and the Crimes Act 1914 (Cth), requiring telecommunications companies to provide assistance to law enforcement agencies to access communications. However, the view of the Government is that this legislation has not kept up with technological advancements and needs to be updated.

Legislation dealing with access to encrypted messages is already in place in the United Kingdom and New Zealand. The Attorney-General has stated that Australias new laws will be guided by the UK legislation, specifically the Investigatory Powers Act 2016. Under that UK Act, there is an obligation on regulated entities to do whatever they reasonably can be expected to do to enable law enforcement agencies to inspect messages that are the subject of encryption or to inspect devices, where a technical capability notice is issued with the approval of a judicial commissioner.

Encrypted messages are difficult to access because the providers of the services do not hold the keys necessary to decrypt messages, these are held by users. This has caused entities potentially subject to the UK legislation, such as Facebook, Google and the like, to raise a concern that the UK legislation and potentially the legislation proposed in Australia will require backdoors to be installed in encryption systems software.

A backdoor refers to a flaw in a software system for encrypted messaging that would allow access to encrypted messages notwithstanding that the encryption keys are not held. Concern has been expressed that if a backdoor is included in encrypted messaging software that is able to be used by law enforcement agencies then that backdoor may also be used by hackers or others to access legitimate encrypted messages for criminal purposes. The Australian Government has insisted it will not require the use of backdoors. Instead, the Government has said it is the responsibility of technology companies that provide end-to-end encryption services to work out a way that encrypted messages may be accessed, where required by law enforcement.

Next steps in Australia

A draft of the proposed Australian legislation is not yet available, but it is intended to be introduced to Parliament during the Spring 2017 Parliamentary sittings, which commence on 8 August 2017. It remains to be seen how closely that draft legislation will follow the UK Investigatory Powers Act and whether it will address concerns regarding the security of encrypted messages sent for legitimate purposes.

Read more here:
Encrypted electronic communications: How will Australia regulate access? - Lexology (registration)

In her first major speech on counter-terrorism, the Metropolitan Police Commissioner, Cressida Dick, also disclosed that six plots have been foiled in the last four months

THE fight on terrorism is being made tougher by encryption on the web and messaging services, the Mets chief said yesterday. Commissioner Cressida Dick also warned of a rising threat from large numbers of apparently volatile individuals, some determined to die.

AP:Associated Press

PA:Press Association

In her first major speech on counter-terrorism, the Metropolitan Police Commissioner also disclosed that six plots have been foiled in the last four months. The Scotland Yard chiefs remarks on encryption underline the challenge for the Government as it seeks to clamp down on online safe spaces where terrorists and other serious criminals can communicate without detection.

Scrutiny has focused on so-called end-to-end encryption, which is built in to messaging services such as WhatsApp and means that messages are encoded in such a way that only the sending and receiving devices can read them.

Police and MI5 are running more than 500 investigations into 3,000 individuals assessed as posing the greatest threat. There are a further 20,000 former subjects of interest whose risk remains subject to review.

Shutterstock

Link:
Met chief says fight against terrorism is being made tougher by encryption on the web and messaging services, like ... - The Sun

Australia is the latest country to seek ways to access information passed between smartphones via encrypted apps, information that might be relevant to criminal investigations and counterterrorism operations. The Australian government wants to be able to spy on encrypted means of communications, whether theyre built in to devices like the iPhone, or apps like WhatsApp, Telegram, and anything else that secures chats and voice calls. But, the Australian government has said it doesnt want backdoors in iOS! This only proves that governments still fail to grasp how encrypted iPhones work.

Apple top execs met twice with the Turnbull government in Australia, The Sydney Morning Herald explains, as Prime Minister Malcolm Turnbull wants to pass new encryption laws.

Turnbulls proposed regulations might compel tech companies to provide access to encrypted communications. Thats something Apple cant offer without backing a back door into iOS. Its San Bernardino all over again.

Apparently, Apple argued that if its compelled to create a back door into iPhones, then everyones security is at risk. The company said it provided significant assistance to police agencies during investigations. Apple did the same thing in America, providing user information, the kind of meta data thats still useful for investigations, and which isnt protected by encryption.

Turnbulls government, meanwhile, explicitly said it doesnt want a back door in iOS encryption, or weaker iOS encryption. But it does want Apple, and any other tech company to provide assistance to law enforcement agencies when thats needed.

This proves, yet again, that governments have no viable idea of how to tackle this sensitive problem. For the time being, it appears that you cant have it both ways. Its either end-to-end encryption which comes with the unwanted side effects like protecting communications between criminals or terrorist organizations. Or its weaker encryption, the kind the government can access, and the kind that can be hacked into by anyone with the means to do it.

The Australian government should introduce new encryption laws by the end of the year, and itll be interesting to see how it wants to crack into encrypted iPhones.

As for Apple, the company announced at WWDC 2017 that its going to continue to protect the users privacy when it comes to chats. iMessages synchronized with iCloud will be encrypted with private keys. Currently, Apple could offer law enforcements data from iPhone backups stored in the cloud that arent encrypted with unique keys.

Continued here:
Australia the latest country to have no idea how encryption works ... - BGR

IBM claims that its new processor can encrypt data on a massive scale, concealing credit card payments, travel site bookings, and government payrolls from the prying eyes of hackers.

On Monday, IBM announced that the new silicon powers its latest line of mainframes, which canautomatically keep entire systems encrypted at all times. The z14 chipdevotes around six billion transistors four times more than previous z13 exclusively to encryption, which encodes messages only decipherable with special keys.

The new encryption chip runs at 5.2 gigahertz to process more than 12 billion transactions every day ranging from ATM withdrawals to flight reservations. Manufactured on the 14 nanometer node, it contains 10 computing cores that can encrypt 13 gigahertz of data per second. The z13 could only process around 2.5 billion transactions every day.

IBM claims that it handles encryption more cheaply and efficiently than rival server systems, which burn through massive amounts of computing power to encrypt and decrypt data. The systems security prowess could be a unique selling point for businesses that typically only encrypt limited lumps of data.

Most corporations have been slow to open their wallets for large scale encryption. Only around 4% of all the data stolen worldwide since 2013 was encrypted, IBM says. And only around 2% of information in corporate servers is encrypted today, as opposed to almost 80% of mobile data, according to consulting firm Solitaire Interglobal.

The vast majority of stolen or leaked data today is open and easy to use because encryption has been difficult and expensive, said Ross Mauri, general manager of IBMs Z mainframe business, in a statement. We created a data protection engine for the cloud era to have an immediate and significant impact on global data security.

To protect encryption keys, IBM created special circuitry that acts like dye packs hidden in bank vaults to foil robberies. When the hardware detects malware or other intruders prying into memory, it can throw out the keys and restore them once the coast is clear again. IBM calls it tamper-responding hardware.

Other companies are selling chips custom hardware to expedite cryptography in cloud servers. Intels newest Xeon Scalable processors, for instance, encrypt and decrypt messages without having to keep the encryption keys in memory, while Advanced Micro Devices added a security subsystem in its Epyc server chips that encrypt data stored within memory.

The mainframe announcement comes at a particularly painful point for IBM. On Tuesday, the company, which has been trying to reorient the business toward cloud computing and data analytics, reported revenues of $19.3 billion in second quarter, down from $20.2 billion the same last year. It is IBMs twenty-first consecutive quarter of revenue decline.

Read more:
IBM Processor Aims to Blanket Encryption Over Everything - Electronic Design

End-to-end encrypted messaging platform Wire is targeting Slacks territory with a new messaging for teams product, calledTeams.

It announced abetalaunch yesterday, and is offering teams a 30-day free trial with pricing starting at5 per user per month thereafter, or custom pricing for enterprise installations offering extras such as self-hosted servers and an integration API.

Co-founder Alan Duric tells TechCrunch that demand for the team messaging launch is being driven primarily by Wires existing user base.

We found more and more that our consumer offering was being used by businesses, and so we were keen to launch a dedicated business product, with additional features tailored to their needs. These features aredesigned to facilitate collaboration between teams to enhance productivity safely and securely, and include screen sharing, group calls and file transfers. Wire now supports dual personal and business profiles, enabling users to switch between the two, and will soon allow users to off notifications for eitheraccount, he notes.

The demand stemmed from a growing need to protect business communications as digital threats increase and current business communications becoming increasingly susceptible to breaches, he adds, saying most demand is currentlycoming from Europe, followed by the US and Asia.

Demand was such that we onboarded 16 companies even before the beta launch Prior to the beta launch, we conducted interviews with over 300 businesses to really understand their needs. In particular, the fact that were based in Europe, end-to-end encrypted, do not require users to share a phone number and are multi-device really resonated.

Alex, a TC reader and Wire user who tipped us to the beta launch, is one of those existing users with an interest in the new team messaging feature although he says his team wont be signing up until the product exits beta.

Explaining how his team originally started using Wire, Alex says: One of the team was traveling and visited China where we found the firewall was blocking basically everything. Skype would randomly keep crashing / lagging under a VPN, though Wire simply worked there. We decided just to stick with it.

The Wire Teams product supports logging in with multiple accounts, so users can maintain a personal Wire messaging account separate from a Wire work account, for example.

Theres also support for adding guests to projects to allow for collaboration with outsiders who dont have full Wire accounts of their own.

And, in future, Teams users will be able to switch off notifications for different accounts so they could turn off work alerts for the weekend, for example.

More and more businesses and international organizations have started using Wire for work since we launched end-to-end encryption. Teams make it easy to organize work groups and related conversations, it writes in a blog post announcing the beta.

Duric adds that Wire currently expects Teams to be fully launched out of beta in late Q3/early Q4.

While the company started by offering a more general comms app, launched in late 2014 and backed bySkype co-founder Janus Friis, in recent years its shifted emphasis to focus on privacy rolling out end-to-end encryption in March last year perhaps calculating this makes for a better differentiator in the crowded messaging platform space.

When it comes to team messaging, services offering end-to-end encryption are certainly a relative rarity.Slacks data request policy, for example, notes that it will turn over customer data in response to valid and binding compulsory legal process.

In its blog about Teams, Wire includes a comparison graphic across a range of team comms products and messaging apps, such as Slack, Skype for business, WhatsApp and Signal, which shows its commercial positioning and marketing at work.

As well as flagging as a plus its use of e2e encryption which extends to securing features such as group calls, screen-sharing and file sharing other differentiating advantages its claiming include its business having a European base (specifically its based in Switzerland, which has a legal regime thats generally perceived as offering some of the most robust data protection and privacy laws in Europe); and its code being open sourced (unlike, for example, the Facebook-owned WhatsApp messaging platform).

Wire also suggests e2e encryption for team messaging could be a way for companies to ensure compliance with incoming European privacy legislation. The General Data Protection Regulation, which ramps up fines for data breaches, is due to come into force in May next year.

Businesses affected by the EUs upcoming GDPR rules benefit from end-to-end encryption, as it automatically protects the data they share with the team from third party access, Wire claims.

Earlier this year the companypublished an external audit of its e2e encryption. Thisuncovered some flaws and issues but generally found the reviewed components to have a high security.

Although a third layer of security review to consider Wires complete solution in the round remained outstanding at that point.

At the time Wire published the auditit committed to ongoing security reviews of every major development of its product.

So presumably that should include one for the Teams addition when it launches.

Wire hosts its open sourced code on GitHub.

This post was updated with additional comment from Wires co-founder

Read the original post:
Wire launches e2e encrypted team messaging in beta | TechCrunch - TechCrunch

Encryption is a type of security that converts data, programs, images or other information into unreadable cipher. This is done by using a collection of complex algorithms to the original content meant for encryption.

Symmetric forms of encryption systems make use of a single password to serve as both decryptor and encryptor. Symmetric types use algorithms that are very safe. One of such type was adopted by the US Government as Advanced Encryption Standard (AES) to store classified information. However, one drawback is that since a single key is shared, it can be leaked or stolen. As part of key management, it is very important to change the key often to enhance security.

Public asymmetric encryption systems make use of highly secure algorithms as well, but using a different strategy for encryption and decryption. The asymmetric encryption method uses two keys, referred to as a key pair. One is a public key, and the other one is a private key. The public key can be freely shared among various users as it is only meant for encryption. The private key is not shared, and is used to decrypt anything that was encrypted by the public key.

The algorithms used in the encryption process depends on the key pair. In order to reverse the encryption process, only the private key of that particular key pair can be used. The message or mail is then delivered to the public key owner. When the mail is received, the private key requests a passphrase before the decryption process. In order to maintain optimal security, this passphrase must be delivered manually; however, the software lets a user locally store the passphrase so that messages may be automatically decrypted.

Since the key that causes decryption is not shared, asymmetric encryption is believed to be more reliable when compared with symmetric encryption.

Read the original:
What is an Encryption Key? - Definition from Techopedia

Quantum computing offers processing power so vast it may soon make todays supercomputers look as crude as 1980s PCs. Theres a downsidethe technology might also render the most secure encryption systems obsolete, cracking codes in a matter of minutes rather than months or years. Gregoire Ribordy says he has a solution. And its selling fast in China.

For the past 15 years, the former University of Geneva physics professor has been developing something called quantum key distributiona system that uses the technology to encrypt data so securely that Ribordy says it cant be deciphered even by an advanced quantum computer. The cybersecurity community must recognize the risks of quantum computing, says Ribordy, a former researcher with Nikon Corp. in Tokyo. Our challenge is to help governments and businesses be ready.

For its first decade or so, his company, ID Quantique SA, bumped along slowly, selling its equipment primarily to academics researching the technology. Then in December, ID Quantique signed a joint-venture agreement with China Quantum Technologies, based in Hangzhou. Sales of its quantum key equipment have surged as Chinese banks, government agencies, and state-owned giants such as China Railway Corp. embrace the technology. Ribordy, who says hes sold fewer than 100 servers to U.S. customers, predicts the growing activity in China will spur interest elsewhere. If Chinas doing it, he says, maybe its a good idea to look at why.

While conventional computers interpret data in ones and zeros, a quantum machine can store information in multiple statesas one, zero, both, or something in between. That allows a quantum system to multitask in ways todays binary equipment cannot. A normal computer looking for a name in a phone book cataloged by numbers, for instance, would search one number at a time. A quantum computer could scan all of them simultaneously; where an old machine might sip data through a straw, a quantum system takes in the flow of the Mississippi. And quantum key distribution automatically detects anyone intruding on a transmission, scrambling the key to keep the information safe.

Although the U.S. has long been the leader in quantum key distribution, China has pulled ahead in some areas, says John Costello, a senior analyst at business intelligence company Flashpoint. Chinese researchers in May claimed theyd developed a quantum computer that eclipses those from U.S.-backed ventures; in June another Chinese group said it had successfully used a quantum-enabled satellite to securely transmit data. The level of investment China is putting into quantum has created a massive market, says Costello, whos testified before the U.S. Congress on the topic. He describes ID Quantique as a significant player in China.

Ribordys partner, known as QTEC, says it has built the worlds first commercial network secured by quantum technology, between Shanghai and Hangzhou. The company says its invested about 1 billion yuan ($148 million) in quantum computing, it employs roughly 300 researchers, and its applied for almost 30 patents. In addition to the venture with ID Quantique, QTEC has a joint research lab with Beijings Tsinghua University, a top school with close ties to the Chinese leadership.

As a Swiss company, ID Quantique doesnt have to adhere to U.S. export controls designed to keep rival powers from obtaining sensitive technology. Ribordy says it took less than a month to get an export permit from Switzerland. Revenue last year was under 100 million Swiss francs ($104 million), he says. But in China, the companys fastest-growing market, sales are on track to triple in 2017 and 2018. Every country has to improve its defense against attacks, Ribordy says. China is doing it, and I think other countries should be doing it, too.

The most important business stories of the day.

Get Bloomberg's daily newsletter.

Quantum key distribution has its drawbacks. A pair of ID Quantiques servers sells for about $100,000, and theres a limit to how far the machines can be from one another: Quantum computers communicate by firing photons over fiber-optic lines, which become unreliable at distances beyond a few hundred miles. All those factors led the U.K.s National Cyber Security Centre last November to urge caution against transitioning too soon to quantum key cryptography.

Nonetheless, the agency predicts the cost of quantum key distribution will drop rapidly, and many researchers say its almost inevitable that quantum computing itself will spur sales of more secure encryption technologies. The imminent arrival of far more powerful computers means companies will have to be ready with similar protective firepower, says Richard Murray, who leads the quantum technologies team at Innovate U.K., a government agency that helps foster new technologies. The reason there is a market for this now, he says, is to prepare for the threat of a quantum hack in the future. With Edwin Chan

BOTTOM LINE - Quantum computing could render todays encryption obsolete. A Swiss company, ID Quantique, says its technology can keep data safe, and China is a top customer.

Read the rest here:
Quantum Computing Would Make Today's Encryption Obsolete - Bloomberg

By Mikey Campbell Wednesday, July 19, 2017, 10:29 pm PT (01:29 am ET)

Citing unnamed sources, The Sydney Morning Herald reports Apple met with Australian Attorney-General George Brandis and members of Prime Minister Malcolm Turnbull's government on Tuesday to talk over the cybersecurity measures.

At least one of the engagements was announced on Monday, when Brandis said he planned to meet with Apple executives in hopes of persuading the company to share encrypted data with the country's spy and law enforcement agencies.

According to sources familiar with the talks, Apple maintained its strong stance in favor of consumer privacy, saying it does not want to see laws updated to block companies from using encryption technology, the report said. Further, Apple is opposed to furnishing government agencies with cryptographic keys that would allow access to secure messages.

Apple in its meetings with Australian officials looked to cut down on additional regulation and legal obligations that could potentially result from the new laws, sources said.

Turnbull last week proposed a set of updated cybersecurity laws that would force tech companies like Apple, Facebook and Google to provide access end-to-end encrypted communications if obliged to do so by court order. The regulations, which the Turnbull administration is looking to get on the books by year's end, are modeled after the UK's Investigatory Powers Act.

"We've got a real problem in that the law enforcement agencies are increasingly unable to find out what terrorists and drug traffickers and pedophile rings are up to because of the very high levels of encryption," Turnbull said. "Where we can compel it, we will, but we will need the cooperation from the tech companies."

Exactly how the government intends to enforce the proposed rules remains unclear.

End-to-end encryption systems rely on cryptographic keys to encrypt plain text messages as they travel through servers between devices. Importantly, service providers do not have access to private keys and are therefore unable to access conversations.

Members of Turnbull's administration who met with Apple said the government does not want to create backdoors to messaging services, nor does it want to weaken encryption, sources said. Apple's recent meetings were in part meant help the government decide how best to overcome these substantial technical hurdles, the report said.

Continued here:
Apple sends top executives to lobby Australian government over ... - AppleInsider (press release) (blog)

There are only two types of companies, it is commonly said: those that have been hacked, and those that just don't know it yet.

IBM Corp. wants to get rid of both. The Armonk, N.Y., computing giant said Monday that it has achieved a breakthrough in security technology that will enable all businesses to encrypt their customer data on a massive scale turning most if not all of their digital information into gibberish that is illegible to thieves with its new mainframe.

"The last generation of mainframes did encryption very well and very fast, but not in bulk," Ross Mauri, general manager of IBM's mainframe business, said in an interview. Mauri estimates that only 4% of data stolen since 2013 was ever encrypted.

As the number of data breaches affecting U.S. entities steadily grows resulting in the leakage every year of millions of people's personal information IBM argues that universal encryption could be the answer to the epidemic of hacking.

The key, according to IBM officials, is an update to the computer chips driving the powerful mainframe servers that house corporate or institutional information and process millions of transactions a day worldwide, such as ATM withdrawals and credit card payments and flight reservations.

Cryptography, the science of turning legible information into coded gobbledygook, is already commonly used among certain email providers and storage services. But because of the enormous computational power needed to quickly encrypt and decrypt information as it passes from one entity to another, many businesses use encryption only selectively if at all. A December report by the security firm Sophos found that while three out of four organizations routinely encrypt customer data or billing information, far more do not encrypt their intellectual property or HR records. Sixty percent of organizations also leave work files created by employees unencrypted, the study found.

All of these represent opportunities for digital criminals, said Austin Carson, executive director of the technology think tank TechFreedom.

"Way too much information is stored in clear text," he said. But universal or pervasive encryption, he added, could help ensure that even if hackers broke into a company's network, any information they found would be impossible to decode. "That would be a huge step forward just in terms of protecting a much larger body of information," Carson said.

But the same technology could frustrate law enforcement, which in recent years has waged a furious battle with Silicon Valley over encryption technology and how extensively it should be used.

In a high-profile dispute last year with Apple Inc., the Justice Department argued that the company should help officials break into an encrypted iPhone used by one of the shooters in the San Bernardino terror attack. Apple refused, saying that developing tools to break encryption would undermine its customers' security, particularly if the tools were to fall into the wrong hands.

Apple's concern is not theoretical: This year's WannaCry ransomware attack, which held thousands of PCs hostage, has been linked to a Windows vulnerability that was secretly discovered and exploited by the National Security Agency long before it leaked into the wild.

In its push to expand universal encryption, IBM is taking Apple's side in the debate.

Lauren Raab and Ben Muessig

Can youtell whether these arereal techniques suggested for hacking theiPhone at the heart of the Apple-FBI fight or ways a James Bond movie character has tried to kill007?

Can youtell whether these arereal techniques suggested for hacking theiPhone at the heart of the Apple-FBI fight or ways a James Bond movie character has tried to kill007? (Lauren Raab and Ben Muessig)

"IBM fully supports the need for governments to protect their citizens from evolving threats," the company said in a statement on the issue. "Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society."

For IBM, encryption is also a massive business opportunity. Businesses spend more than $1 trillion a year making sure that their security meets government standards, according to company officials. One aspect of IBM's new approach to mainframes is the concept of automating that compliance work, using artificial intelligence to check that what's being protected passes regulatory muster in various industries.

In doing so, IBM expects to turn a chunk of that annual compliance spending into revenue for itself. And that's on top of the roughly $500,000 it expects to charge new customers for using its newest mainframe technology. Most businesses, Mauri said, will be upgrading from an existing setup, so the cost for those clients could be less.

For some small businesses, that may still be too expensive. Still, the history of technology suggests that with time, those prices may fall.

"This is the turning point. The idea here is that you can start to encrypt all data," Mauri said. But even as IBM makes encrypting everything a priority, security experts like Mauri already have their eyes set on the next holy grail: The ability to securely edit and manipulate encrypted files without ever having to decrypt them in the first place.

Fung writes for the Washington Post.

ALSO

Girl Scouts offers merit badges for making friends, painting and horseback riding. Up next: cybersecurity

Verizon customer data including phone numbers and PINs exposed by vendor

Their code was used to hack Sony and create 'WannaCry.' Meet the 'Lazarus Group,' the armed robbers of the Internet

Read the original here:
To battle hackers, IBM wants to encrypt the world - Los Angeles Times