Category Archives: Encryption

Privacy, Secure Sharing and the Holy Grail of Encryption – HackSurfer Hangout – Video

Posted on by


Privacy, Secure Sharing and the Holy Grail of Encryption - HackSurfer Hangout
Peter Long, the CEO of ARKpX (formerly Lockbox) is joining us this Thursday to chat about the world of mobile and the cloud when it comes to cybercrime and cybersecurity. We #39;ll be chatting...

By: HackSurfer

More here:
Privacy, Secure Sharing and the Holy Grail of Encryption - HackSurfer Hangout - Video

Cloud Encryption Best Practices for Financial Services

Posted on by

In many industries, cloud computing is now vital to remaining competitive. The cloud typically offers superior flexibility, scalability, accessibility, and high availability, enabling businesses to grow more agile and responsive. Regulatory compliance concerns often make banks and other financial service providers slower to adopt the cloud, but even in the financial services industry, the cloud will soon become a necessity.

Banks are already seeing attractive use cases for cloud computing, as Bank Systems & Technology's Bryan Yurcan and Jonathan Camhi pointed out late last year. Cloud-based payment processing is one hot topic. Cloud-based document management is another. Analytics for business insight and fraud detection are also growing popular. However, all of these applications will require a thorough understanding of the regulatory restrictions and how to comply with them. One of the most essential tools to make sure your cloud adoption meets regulatory requirements is cloud data encryption.

What to Protect PCI DSS mandates the protection of customer account data, which you'll need in order to process payments in the cloud. Per PCI DSS 3.0, that data includes:

PCI DSS requires organizations to "use strong cryptography and security protocols" for the transmission of sensitive cardholder information. Some of these fields are more sensitive than others, however. PANs are more sensitive than expiration dates, for example, while verification codes and PINs are so sensitive that PCI DSS outright forbids the storage of them after the transaction is completed. Your cloud data encryption strategy should include the ability to apply varying strengths of encryption at a granular, policy-based level so that you can apply the appropriate amount of protection to each data type.

Here are some best practices that can help you use cloud data encryption to safely make the most of the cloud.

Cloud Data Encryption Best Practices

Use cloud data encryption that preserves your cloud application functionality To enjoy the benefits of cloud computing, develop a cloud data encryption strategy that secures your data but also preserves the functionality of the cloud applications you've chosen. Tools like CipherCloud's Searchable Strong Encryption can help, as can encryption and tokenization schemes that retain the original format of the data while hiding the actual values.

How does your organization use cloud encryption to remain compliant? Let us know your thoughts in the comments

Paige Leidig is SVP at CipherCloud. He has 20 years of experience in technology, marketing, and selling enterprise application solutions and managing trusted customer relationships. As SVP of Marketing, he is responsible for all aspects of marketing at CipherCloud. Paige was previously in the Office of the CEO at SAP, where he was responsible for leading and coordinating SAPs acquisition and integration activities on a global basis. He has managed a number of marketing initiatives at SAP, including responsibility for all go-to-market activities for SAPs Cloud applications portfolio. Preceding his SAP career, Paige held senior management positions with Ariba, Elance, and E*Trade.

See more here:
Cloud Encryption Best Practices for Financial Services

Statistical Tricks Extract Sensitive Data from Encrypted Communications

Posted on by

Research suggests that surveillance agencies could use statistical tricks to peek through the encryption that protects Web browsing.

Stung by revelations about mass government surveillance, consumer Web companies are expanding their use of encryption and releasing more details of those protections to reassure wary customers. Earlier this year, for instance, Apple released details of how communications sent via its iMessage service are encrypted.

New research suggests that the U.S. National Security Agency, or any other organization capable of collecting large quantities of Web traffic, could extract private information from encrypted communications by searching for patterns in that data stream. In tests, analysis of encrypted Internet traffic could reveal the health conditions a person was researching online. Similar techniques could glean information about use of iMessage such as when a person starts typing or what language they wrote a message in. That research focuses on an approach known as traffic analysis, which involves using statistical techniques to find patterns in encrypted communications.

Researchers at the University of California, Berkeley, and Intel developed a particularly effective version targeted against HTTPS, the form of encryption used to protect websites and visible to Web surfers as a padlock in a browsers address bar. The technique involves having software visit the websites of interest and using machine-learning algorithms to learn the traffic patterns associated with different pages. Those patterns are then looked for in a victims traffic trace.

The approach proved capable of identifying the pages for specific medical conditions a person was looking at on the Planned Parenthood and Mayo Clinic websites even though both sites encrypt connections with HTTPS. It could also identify what services a person accessed when he or she logged onto financial sites including Wells Fargo and Bank of America. On average, the technique was about 90 percent accurate at identifying Web pages. A paper on the Berkeley research will be presented at the Privacy Enhancing Technologies Symposium in Amsterdam next month.

Traffic analysis would be a useful tool for surveillance by government programs, such as those used by the NSA to collect and analyze encrypted Internet traffic (see NSA Leak Leaves Crypto Math Intact but Highlights Known Workarounds). Corporations with access to Internet traffic might also have motivation to use it, says Brad Miller, the PhD candidate at Berkeley who led the research.

There are very valid use cases of this type of analysis for companies, he says. For example, an ISP might want to gain information about its customers online activity that could be used to target ads, even if those customers have encrypted their browsing or communications. Some ISPs, such as Verizon Wireless, already sell data on their customers browsing to third parties for such purposes.

Scott Coull, a researcher with the security company RedJack, says the Berkeley work is the latest in a series of papers showing how traffic analysis could be used against consumers. When you look at the worst case for this kind of attack, things dont look very good, he says.

Coull recently found that traffic analysis can be very effective against messages sent via Apples iMessage, which are encrypted from the moment they are sent to the moment they are received. iMessage is by far the worst thing Ive seen, he says. Coull was able to identify when users started or stopped typing, were sending or opening a message, the language a message was written in, and its length, with 96 percent accuracy or higher.

That, combined with the fact that the iMessage protocol transmits a unique identifier for a device, adds up to similar metadata to what has been controversially collected by the NSA on U.S. phone calls, says Coull. If I had the ability to monitor a big chunk of traffic to and from the iMessage servers, I could come up with a social network of whom is messaging whom, and the language theyre using and the approximate size of the messages, he says.

The rest is here:
Statistical Tricks Extract Sensitive Data from Encrypted Communications

Cyber Entrepreneurs, Privacy Matters Pt. 2, Encryption Woes and the Controversy of Annonymity – Video

Posted on by


Cyber Entrepreneurs, Privacy Matters Pt. 2, Encryption Woes and the Controversy of Annonymity
This week on Cyber Frontiers we talk cyber innovation, privacy, and the encrypted era of financial and informational systems with special guest Mark Goldstein, Vice President of Business Developmen...

By: Jim Collison

The rest is here:
Cyber Entrepreneurs, Privacy Matters Pt. 2, Encryption Woes and the Controversy of Annonymity - Video

Will full encryption sideline Google’s targeted ads?

Posted on by

News

By Zach Miners

June 18, 2014 08:39 AM ET

IDG News Service - Mining personal data to deliver targeted ads is the lifeblood of Google's business -- and of many other online firms. But what if that data dries up at the source?

Google released an early version of a new tool recently that will provide full "end-to-end" encryption for email. It's a super-strong cloaking technology that scrambles messages before they leave their browser and keeps them that way until they're decoded by the recipient.

The technology makes use of a private key-string that only the user has access to, meaning even the email provider can't read the contents of messages. Google says anyone will be able to use the tool with their existing web-based email service.

It was hailed as a big step forward in privacy, but the increased use of strong encryption also threatens the ability of online firms to sell targeted ads, altering the calculus that makes it worthwhile for them to offer online services for free. Google, after all, scans emails to deliver keyword-based advertising, and for other purposes like blocking spam and malware. Yahoo also scans email, though Microsoft says it does not.

"This tool is in direct conflict with their business model," said Tyler Cohen Wood, an online security expert and cyber branch chief for the Defense Intelligence Agency within the U.S. Department of Defense. For Google to offer it, she said, is strange.

Google said the tool is intended for a subset of users who want additional security beyond what the company already provides. "We recognize that this sort of encryption will probably only be used for very sensitive messages or by those who need added protection," Google said in its announcement.

But its goal is to eventually make a more polished version available for download in its Chrome Web Store. And as users become more insistent about privacy, other online firms may offer similar capabilities.

Go here to see the original:
Will full encryption sideline Google's targeted ads?