Category Archives: Encryption

Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (1 of 3) Overview – Video

Posted on by


Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (1 of 3) Overview
In part 1 of this 3-part tech talk, Tim Parmenter provides an introduction and architectural overview of the InfoSphere Guardium Data Encryption solution for data at rest.

By: InfoSphereGuardium

See the original post here:
Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (1 of 3) Overview - Video

Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (3 of 3) Customer use case – Video

Posted on by


Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (3 of 3) Customer use case
In part 3 of this 3-part tech talk, Mark Jamison describes why a large retailer chose InfoSphere Guardium Data Encryption for their massive deployment and describes lessons learned.

By: InfoSphereGuardium

Originally posted here:
Tech Talk: Technical overview of InfoSphere Guardium Data Encryption (3 of 3) Customer use case - Video

Web Encryption – It’s Not Just for E-Commerce, Anymore

Posted on by

Last week, I re-tweeted Cloudflare's announcement that they are providing universal SSL for their customers. I believe the announcement is a valuable one for the state of the open Internet for a couple of reasons:

First, there is the obvious they are doubling the number of websites on the Internet that support encrypted connections. And, hopefully, that will prompt even more sites/hosting providers/CDNs to get serious about supporting encryption, too. Web encryption it's not just for e-commerce, anymore.

Second, and no less important, is the way that the announcement articulates and shares their organizational thought processes. They are pretty clear that this is not a decision made to immediately and positively impact their bottom line of business. It's about better browsing, and a better Internet in the long run is better business. And, they are also pretty open about the challenges they face, operationally, to achieve this. That's another thing that can be helpful to other organizations contemplating the plunge to support SSL.

So, go ahead and have a read of their detailed announcement and please forget to check if my website supports encrypted connections. It does not :-/ (yet). I've added it to my IT todo list right after dealing with some issues in my e-mail infrastructure. I asked the head of IT for a timeline on that, and she just gave me a tail-flick and a paw-wash in response. Life as a micro-enterprise.

More substantially, I could easily become a Cloudflare customer and thus enable encryption up to the Cloudflare servers. But, proper end-to-end encryption requires my site to have a certificate, based on a unique IP address for this website and the going rate for that, given where my site is, is $6/mo. That adds, substantially, to the cost of supporting a website, especially when you might have several of them kicking around for different purposes.

There's work to be done yet in the whole security system (economics) model, it seems to me. Open discussion of practical issues and eventual work arounds does seem like a good starting place, though.

A version of this post originally appeared on http://www.thinkingcat.com.

By Leslie Daigle, Principal, ThinkingCat Enterprises and Editor, InternetImpossible. More blog posts from Leslie Daigle can also be read here.

Related topics: Privacy, Security, Web

Read the rest here:
Web Encryption - It's Not Just for E-Commerce, Anymore

Smartphones ‘remotely wiped’ in police custody, as encryption vs. law enforcement heats up

Posted on by

Summary: British police are warning that smartphones in custody for forensics and ongoing investigations are being remotely wiped, potentially killing vital evidence.

British police forces have complained that as many as six smartphones seized have been remotely wiped in the past year, potentially killing vital evidence as part of ongoing investigations.

The somewhat comical angle from the BBC News on Thursday was thatCambridgeshire, Derbyshire, Nottingham, and Durham police "don't know how people wiped them."

Here's a hint, police: "Find my iPhone."

The issue stems around the technology that allows users to remotely wipe their device, and potentially corporate secrets and personal information, in cases where their devices have been lost or stolen.

Most modern phones come with this technology: Apple iPhones, Android and Windows Phone devices all do. In many cases, like with BlackBerry handsets, company IT administrators can also remotely wipe data.

But this poses a problem for the British bobbies. The report said, citing one forensics expert, "If a device has a signal, in theory it is possible to wipe it remotely."

Police often use radio-frequency shieldedbags, or even microwave ovens (so long as they're never turned on) to prevent cell service from getting through.However, in some cases, even that short period of time after a device has been seized can be enough to send through a remotely-activated data kill switch.

Law enforcement in the U.S. over the past few weeks have complained at Apple and Google's move to encrypt data on their devices by default, forcing police and federal agents to go to the device owner, rather than to the company themselves.

Many U.S. federal agencies, including the FBI and the NSA, complained that Apple and Google's encryption efforts will hamper investigations.Drug dealers, pedophiles, identity thieves, and other violent criminals will be able to evade capture, they say, with the FBI DirectorJames Comey criticizing Apple for allowing its customers to "place themselves beyond the law."

Read the original post:
Smartphones 'remotely wiped' in police custody, as encryption vs. law enforcement heats up

Apple Says iOS Encryption Protects Privacy; FBI Raises Crime Fears

Posted on by

The FBI says Apple encryption software could make it harder for the police to solve crimes. But Apple CEO Tim Cook disagrees, saying this is about people's right to privacy. iStockphoto hide caption

The FBI says Apple encryption software could make it harder for the police to solve crimes. But Apple CEO Tim Cook disagrees, saying this is about people's right to privacy.

The FBI and other law enforcement agencies are up in arms about new technology now available from Apple and soon to be released by Google.

The software encrypts the data on smartphones and other mobile devices so that not even the companies themselves will be able to access the information.

It's a response by technology companies to revelations by former National Security Agency contractor Edward Snowden that the government was monitoring Americans' Internet and cellphone use.

Apple's new iOS 8 operating system for its iPhone and iPad tablets features encryption software so secure that no one not even Apple has the key to it. And it's become a selling point.

In an appearance on PBS's Charlie Rose, Apple CEO Tim Cook said, "people have a right to privacy, and I think that's going to be a very key topic over the next year or so."

FBI Director James Comey says new encryption features allow people "to place themselves beyond the law." Alex Wong/Getty Images hide caption

FBI Director James Comey says new encryption features allow people "to place themselves beyond the law."

It's already become a key topic for FBI Director James Comey. He told reporters recently he doesn't understand why companies would "market something expressly to allow people to place themselves beyond the law."

Read the rest here:
Apple Says iOS Encryption Protects Privacy; FBI Raises Crime Fears

Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It

Posted on by

It took the upheaval of the Edward Snowden revelations to make clear to everyone that we need protection from snooping, governmental and otherwise. Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.

And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded.

At issue is the improved iPhone encryption built into iOS 8. For the first time, all the important data on your phonephotos, messages, contacts, reminders, call historyare encrypted by default. Nobody but you can access the iPhones contents, unless your passcode is compromised, something you can make nearly impossible by changing your settings to replace your four-digit PIN with an alphanumeric password.

Rather than welcome this sea change, which makes consumers more secure, top law enforcement officials, including US Attorney General Eric Holder and FBI director James Comey, are leading a charge to maintain the insecure status quo. They warn that without the ability to crack the security on seized smartphones, police will be hamstrung in critical investigations. John Escalante, chief of detectives for Chicagos police department, predicts the iPhone will become the phone of choice for the pedophile.

The issue for law enforcement is that, as with all strong crypto, the encryption on the iPhone is secure even from the maker of the device. Apple itself cant access your files, which means, unlike in the past, the company cant help law enforcement officials access your files, even if presented with a valid search warrant.

That has lead to a revival of a debate many of us thought resolved long ago, in the crypto wars of the 1990s. Back then, the Clinton administration fought hard to include trapdoor keys in consumer encryption products, so law enforcement and intelligence officialsNSA being a chief proponentcould access your data with proper legal authority. Critics argued such backdoors are inherently insecure. Trapdoor keys would be an irresistible target for corrupt insiders or third-party hackers, and would thus make Americans more vulnerable to criminals, foreign intelligence services, corrupt government officials, and other threats. Additionally, foreign technology companies would gain a competitive advantage over the US, since theyd have no obligation to weaken their crypto.

The feds lost the crypto wars, but without serious consumer demand, strong encryption has crept onto our gadgets only for narrow purposes, like protecting Internet transactions. The iPhone encrypted email and calendar entries, but little else. Now that Snowdens revelations have reinforced just how vulnerable our data is, companies like Apple and Google, who were painted as NSA collaborators in the earliest Snowden leaks, are newly motivated to demonstrate their independence and to compete with each other on privacy.

However it got there, Apple has come to the right place. Its a basic axiom of information security that data at rest should be encrypted. Apple should be lauded for reaching that state with the iPhone. Google should be praised for announcing it will follow suit in a future Android release.

And yet, the argument for encryption backdoors has risen like the undead. In a much-discussed editorial that ran Friday, The Washington Post sided with law enforcement. Bizarrely, the Post acknowledges backdoors are a bad ideaa back door can and will be exploited by bad guys, tooand then proposes one in the very next sentence: Apple and Google, the paper says, should invent a secure golden key that would let police decrypt a smartphone with a warrant.

The paper doesnt explain why this golden key would be less vulnerable to abuse than any other backdoor. Maybe its the name, which seems a product of the same branding workshop that led the Chinese government to name its Internet censorship system the golden shield. Whats not to like? Everyone loves gold!

See more here:
Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It

Four-digit passcodes remain a weak point in iOS 8 data encryption

Posted on by

The strength of Apples revised encryption scheme in iOS 8 hinges on users choosing a strong passcode or password, which they rarely do, according to a Princeton University fellow.

Apple beefed up the encryption in its latest mobile operating system, protecting more sensitive data and employing more protections within hardware to make it harder to access. The new system has worried U.S. authorities, who fear it may make it more difficult to obtain data for law enforcement since Apple has no access to it.

Despite the new protections, data is still vulnerable in certain circumstances, wrote Joseph Bonneau, a fellow at theCenter For Information Technology Policy at Princeton, who studies password security.

Users with any simple passcode have no security against a serious attacker whos able to start guessing with the help of the devices cryptographic processor, he wrote.

If an iPhone is seized when its turned off, its unlikely that the keys can be derived from its cryptographic co-processor called the Secure Enclave, which does the heavy lifting to enable encryption.

But if an attacker can boot the phone and get access to the Secure Enclave, it would be possible to start guessing passwords in a brute-force attack, and thats where the weakness lies.

Apple doesnt make it easy to completely copy all of the data on a device and boot it up using external firmware or another operating system, which would be an attackers first step, Bonneau wrote.

His theory of how easy it would be to obtain the data from a device is dependent on an attacker being able to bypass the complicated secure boot sequence of an iOS 8 device.

Well assume this can be defeated by finding a security hole, stealing Apples key to sign alternate code or coercing Apple into doing so, he wrote.

If that is possible, the attacker can begin guessing passcodes or passwords against the Secure Enclave. Apples documentation suggests that such guesses could be conducted at a rate of either 12 guesses per second or 1 guess every five seconds.

Read more from the original source:
Four-digit passcodes remain a weak point in iOS 8 data encryption