Zoom will let paying customers pick which data centers calls can be routed through starting April 18th, the company announced in a blog post today. The changes come after a report from the University of Torontos Citizen Lab found that Zoom generated encryption keys for some calls from servers in China, even if none of the people on the call were physically located in the country.

Zoom says paying customers will be able to opt in or out of a specific data center region, though you wont be able to opt out of your default region. Zoom currently groups its data centers into these regions: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America, and the US.

Users on the companys free tier cant change their default data center region, though any of those users outside of China wont have their data routed through China, according to Zoom.

On April 3rd, Citizen Lab published its report describing how Zooms encryption scheme sometimes used keys generated by servers in China. That could mean, in theory, that Chinese officials could demand Zoom disclose those encryption keys to the government.

Zoom CEO Eric Yuan said that in the rush to add server capacity to meet the massive need for Zoom during the COVID-19 pandemic, we failed to fully implement our usual geo-fencing best practices and that it was possible that certain meetings were allowed to connect to systems in China. This wasnt the intended behavior and that the company had corrected the issue, according to Yuan.

Yuan announced in an April 1st blog post that Zoom would be implementing a 90-day feature freeze to focus on fixing privacy and security issues. He also said Zoom jumped from 10 million daily users in December all the way up to more than 200 million daily users in March as people flocked to the service while at home due to the pandemic.

Originally posted here:
Zoom will let paying customers pick which data center their calls are routed from - The Verge

As most of us look to avoid Zoom Bombings, whether by some hacker with a hoodie on the Web or your dog or cat wanting your attention, the challenges of working from home are perhaps the greatest obstacles that the vast majority of Americans face as we navigate the COVID-19 pandemic. These concepts bring to light the idea of how safe we are on these electronic devices in terms of our privacy, both at a personal level and for corporations and their clients. As the U.S. Senate considers a new piece of legislation called the EARN IT Act, many are concerned the bill would kill end-to-end encryption, an element of technology that allows for private communication. This concern comes at a time when staying at home is the only option.

null

For one company in the blockchain industry, remote working is nothing new - prior to, during, and after COVID-19, all employees at this company have always worked remotely. In speaking with Corey Petty, Chief Security Officer of Status, a company offering an open-source Ethereum-based app that includes a private chat messenger, crypto-wallet and Web 3 browser, I learned some important lessons on how to work from home as an organization and as an individual. Additionally, I was able to understand the importance of end-to-end encryption and the backlash against new legislation in Congress that may force companies to stop using this type of cryptography.

In discussing the keys to success in remote working, Petty commented, It starts with understanding communication within the organization and using the available tooling that are online today...Especially for a company like status, where we are distributed across the globe, time zones become increasingly a part of that communication overhead and dealing with asynchronous communication has to be something that you are used to. Its establishing a digital workplace.

It must be hard if you are used to just asking a friend or colleague to come over and ask a quick question, and Petty notes establishing a digital workplace is really hard to do depending on how a company is set up and can be unique to the individual processes businesses go through. Leadership is key, and Petty notes, Having a very good COO who knows what they are doing and how to communicate is pivotal...[a company] has to have the ability to adapt and change how they operate very quickly or they are not going to be able to survive.

He notes it is important to manage the work-life balance as well and separate yourself from your work and living space. Additionally, organizational time management such as setting up regular meetings with the groups you need to be talking to and using all available videoconferencing applications for that type of thing is critical so that as an individual, you have a better idea of how to organize your time and get work done. However, dont ask Petty to talk to him in a Zoom chat. Based on his expertise in security, this is something that he notes, I would not use Zoom. Petty also does note that with companies like Status, this is really easy because they do not make physical products. Most of what we do is software development or protocol development so the digital aspect of our company is almost 100% whereas a lot of companies who dont have that opportunity need to be creative on who they can send home and who they cant and organize those processes accordingly.

Policy Of Ending End-To-End Encryption Policy In the United States

In terms of surviving, Status as well as other blockchain companies who see encryption as essential not only to their business models, but also on the principles of maintaining anonymity and privacy in a digital workplace, concerns of new legislation in the Senate has them concerned. The EARN IT Act, introduced by the Chair of the Senate Judiciary Committee, Senator Lindsey Graham (R-SC), stands for earning immunity that would end internet platforms such as Facebook or Twitter from having automatic immunity from lawsuits with respect to what is posted on their platform.

The bill makes an exception to the Communications Decency Act, which under Section 230 normally provides immunity, in cases of child sexual abuse, requires a list of best practices to be established by companies that a Commission headed up by the U.S. Attorney General would help oversee the development of.

Many organizations are not taking the proposal lightly and are pushing back. The Electronic Frontier Foundation stated that the EARN IT Act is unconstitutional and violates our First and Fourth Amendment rights. The EFF is urging people to call their Senators to vote No on this legislation.

Petty said he ...sees the exception to Section 230 as an enforcement tool for whatever leverage the EARN IT Act provides, and quite frankly, an underhanded one. It essentially turns a voluntary list of best practices to be mandatory, for operating a tech company in the U.S. without the legal protections of Section 230 is infeasible.

Encryption probably faces its most challenging fight ever and blockchain companies should take heed, because with the Chair and Ranking Member of the Senate Judiciary Committee, along with 10 Co-Sponsors, voting to recommend the bills passage, combined with both the previous President and the current one actually agreeing on a topic, this bill may just be as strong in politics as end-to-end encryption is in technology. As former President Obama noted at a SXSW Conference in 2016, if the government cannot crack encryption, it is like everyone walking around with a Swiss bank account in their pocket.

Obama comments at SXSW in 2016 on encryption

Petty notes encryption is the last bastion of a strong defense and weakening encryption usually comes at the expense of the defender, not the attacker...The process of introducing backdoors and selective access to encryption schemes is not one that is not should be rushed...There is an overwhelming consensus that this is a wrong move to take and its moving in the wrong direction.

Although the verdict on end-to-end encryption is not out yet, one thing does appear certain: that decentralized companies from the blockchain space have a lot to offer in the way of offering protection for company security as well as tips for working from home.

See the original post here:
How Working Remote And Protecting Encryption Is Natural For This Blockchain Company - Forbes

Confidence in the electoral system is fundamental to a healthy democracy. But when a Gallup poll last year asked people if they had faith in the honesty of elections,59% of Americans said they did not. The only five countries where confidence in elections is lower, according to Gallup, are Lithuania, Turkey, Latvia, Chile and Mexico.

Elections tend to be the point at which most people come into closest contact with their countrys political processes when they cast their vote and have a say in who will represent them in local, regional or national bodies. The Gallup finding, that only 40% of Americans said they are confident in the honesty of elections in the country, relates to a number of factors, the poll says.

From fears of interference in the way an election is run, to failings in the way votes are counted, there is clearly an issue here waiting to be resolved. Data encryption could help to rebuild public trust in democracy by creating a greater sense of connection between the electorate and the results of the elections in which they take part.

[Read More: What is ElectionGuard?]

Using data without losing privacy

Encrypting data is commonplace. Emails, message platforms, e-commerce and online banking are just some of the everyday activities that are made safer and more secure because of it. There is also a role for encryption in helping foster greater trust in the democratic process.

Historically, however, encryption has not been used widely to protect voting data. Thats because data thats been encrypted tends to be static; it isnt possible to do much with static data, other than keep it safe and secure.

But what if it was possible to take that data in its encrypted form and perform calculations and computations without first decrypting it? All the encrypted votes could then be added together, counted, tallied and verified while still in their safe and protected state.

This is one of the things that can be done using what is known as homomorphic encryption.

Josh Benaloh, Senior Cryptographer at Microsoft Research, explains how it works: The key thing is that this can help address the confidence shortfall, he says. With regular encrypted data, all you can do is decrypt it. Its a little like putting something in a safe for transport or safekeeping. Eventually, all youre going to do is take it out.

But homomorphic encryption allows you to compute on encrypted data without the need to decrypt it first.

In a wider context, it would allow an organization to do more than just store encrypted data in the cloud. It would be possible to perform computational tasks on it while keeping it completely secure, getting an encrypted result as the output.

Adding value

Homomorphic encryption offers the ability to perform additions on encrypted data, which unlocks a number of potentially useful scenarios. It becomes possible to review salary data and calculate the average or the mean salary paid to an organizations employees, for example all while keeping the privacy of individual employees and their rates of pay safe and secure.

If you think about what an election is, it all starts with ones and zeros, Benaloh says. One is I selected that option and zero is I didnt select that option. Tallying the election is just adding how many selected one option, how many selected a different option adding all the ones and zeros.

[Read More: Another step in testing ElectionGuard]

Thanks to the homomorphic property, you take all the individual encrypted votes and aggregate them into an encrypted tally, and then you can decrypt to get the separated-out tallies without compromising the privacy of individual votes.

This delivers a full record of how many votes were cast for each candidate while safeguarding the secrecy of the ballot. But it does something else. It makes it possible to offer voters end-to-end verifiability.

All of this was put to the test during the Microsoft ElectionGuard pilot in Fulton, Wisconsin in February 2020. The ElectionGuard software encrypted each voters choice before generating a ballot paper and tracking number for them. Voters received a unique code as part of their encrypted ballot, which enabled them to access a post-election verification platform. That platform would read the encrypted code and confirm that the vote associated with it was cast in a particular way.

Demonstrating to an individual voter that their vote is secure and their identity protected is clearly a necessary part of maintaining election confidence. If there were ever any doubts over those two factors, people would be forgiven for losing trust in the democratic process.

Homomorphic encryption now offers an undeniable way of verifying the accuracy of each vote cast, too. This may not be the silver bullet that restores faith in the electoral process, but it is an important part of demonstrating to people the robustness of the system to which they entrust their democratic right.

For more on Microsofts Defending Democracy Program, visit On the Issues. And follow @MSFTIssues on Twitter.

Go here to see the original:
What is homomorphic encryption and how can it help in elections? | Microsoft On The Issues - Microsoft

the Jyvskyl city board decided on Tuesday that the center of the city authorized Aila Paloniemi and Kirsi Knuuttila are weakened confidentiality in the preparation of matters. The decision relates to the fire cape and Knuuttila in January published opinion writing (you move to another service) (central finland), which dealt with the Alva share related to the sale of previously unpublished information.

writing in his fire cape and Knuuttila reported that the sale of the related report of the consulting agency KPMG will get the success fee, i.e. the additional compensation, if the city ended up selling a minority stake in the Alva company.

About the content of the agreement and the success fee had been told by the only board members. Council members and parishioners of the data was encrypted.

the board of governors seated in Knuuttila told Yle that he had received information verbally from a reliable source in mid-January. After that, he said that they had contacted the city government and the preparatory officials, in order to confidentiality, the information should be public.

Board members did not see the success fee of the problem and not left to decrypt. I was told that I can appeal to the administrative court and try to decode it through, but there of the decision take half a year. We decided to publish the opinion in writing of because we experienced, that we have no other options, Knuuttila said.

Legal grounds for sanctions not found

the city government tiistaisen decision according to the information success fee and other commission contract content is confidential information that should not have been leaked to the public.

the Decision is justified by the fact that the data contract for content had been given to board members in confidence, and procedure safeguards the preparatory officials and city board members between the open preparation.

the city government appealed the decision in the openness act and stated that freedom of expression does not go to data secrecy regulations over.

a legal basis for the police report for the fire cape and Knuuttila activity is not, however, been found. Authorized therefore does not follow the sanctions.

fire cape to the decision puzzling.

This decision is based on just the governments opinion, that we have undermined confidence. I would like to ask whether the government have thought of, how much it will undermine local peoples confidence in the decision-making by hiding these things, she said.

Koivisto: trust in the consultants professional pride

the mayor Timo Koivisto comment to Yle in brief. According to him, the city governments decision is unequivocal and based on the law.

night school is a legal procedure, which shall be confidential. If anyone decides to leak those things to the public, the trust suffers from.

Kirsi knuuttila, according to the processing stage, the information often is confidential, but at the stage when the decision has already been made, secrecy usually falls.

He likes the peculiar and worrying, that the city has wanted to conceal the use of money and decision-making process impact analysis related information.

Im worried about the citys transparency in decision-making. If the survey enterprise is financially advantageous for the fact that the outcome is certain, how the survey information can be considered reliable? Knuuttila asks.

Koivisto does not see the problem. He said he was confident that the consultants skills and professional pride.

Is a peculiar idea, that the consultant could guide the city decision making or that we would notice, if someone makes a purpose-oriented calculations. In addition, the success fee is the usual procedure, he said.

koivisto, according to the decision making process has been sufficiently transparent, since the subject has been informed in a coherent and organized two city council workshops.

the Actual decision-making Alva a minority stake sale would happen at the earliest in June 2020. By the information commission agreement on the content of the success fees who should Koivisto, according to told the council and possibly also the public.

So far we havent seen it yet topical, the mayor said.

Researcher: confidentiality may apply only to day school in the

Legislation in the light is not at all unambiguous, that the fire cape and Knuuttila had acted wrong when he told the information to the public. City government day schools confidentiality is binding only at the school in the presence of, point out the public law associate professor Riku Neuvonen .

If the question is not the issue, the propagation of which is otherwise criminalized, outsiders are not bound by the same confidentiality or criminal liability. Thus, if person X is in a meeting and told the meeting the contents of Y, not Y, not necessarily bound to secrecy and confidentiality. This is what the founders of practically all the media I get the most leaks, Neuvonen says.

fire cape and knuuttila in the case of the delegates are also not received information from the supervisor position. Data should, therefore, be pointedly given to anyone.

Data belong to authorized and for the people

the Case is not Neuvonen according to the one-track also freedom of expression point of view.

Here we are close to it, that freedom of speech would pass the criterion of secrecy. It is a locally important issue, which is subject to a lot of local political and even national interest. The fact that the consultants receive fees of city property to sell is the thing that yes, I authorized and even community residents, Neuvonen says.

in Addition, it is already a contract and a situation where consultants, for example, is to be tendered, in which case publication would be the effect on corporate activities. Neuvonen, it is hard to see justification for why the information could not be published.

for Example, the patient data are the researcher according to the degree of secrecy in terms of clear things. Instead, the company secrets are a bit more obscure than the area.

Especially if you try to secret concerns already made to the mandate agreement. This is, therefore, to remember it, that the authorities own view of secrecy is possible to dispute in court. The document can be partially kept secret, i.e. it can also be a point that could be public.

Alvas minority stake sale to a related processing was interrupted in February, when concerns about water privatization rose strongly in the public debate. As a consequence also the consultant company KPMG investigation was suspended.

the Latest news on your phone download Yle.en-application space Yle newsletters!

Get Overeating the best content straight to your inbox! Order as many letters as you want!

Proceed to order

Read more:
The water department mess continues in Jyvskyl: City of the encryption information of the consultant the additional fee, accusing the publication of...

from the speak-out,-in-encrypted-fashion dept

Signal, the end-to-end encrypted app maker, doesn't really need Section 230 of the Communications Decency Act. It can't see what everyone's saying via its offering anyway, so there's little in the way of moderation to do. But, still, it's good to see it come out with a strong condemnation of the EARN IT Act, which as been put forth by Senators Lindsey Graham, Richard Blumenthal, Dianne Feinstein, and Josh Hawley as a way to undermine both Section 230 of the CDA and end-to-end encryption in the same bill. The idea is to effectively use one as a wedge against the other. Under the bill, companies will have to "earn" their 230 protections, by putting in place a bunch of recommended "best practices" which can be effectively put in place by the US Attorney General -- the current holder of which, Bill Barr, has made clear that he hates end-to-end encryption and thinks its a shame the DOJ can't spy on everyone. And this isn't just this administration. Law enforcement officials, such as James Comey under Obama, were pushing this ridiculous line of thinking as well.

To be clear, the EARN IT Act might not have a huge direct impact on a company like Signal -- since it doesn't really much rely on 230 protections (though it might at the margins). But it's good to see that it recognizes what a terrible threat the EARN IT Act would be:

It is as though the Big Bad Wolf, after years of unsuccessfully trying to blow the brick house down, has instead introduced a legal framework that allows him to hold the three little pigs criminally responsible for being delicious and destroy the house anyway. When he is asked about this behavior, the Big Bad Wolf can credibly claim that nothing in the bill mentions huffing or puffing or the application of forceful breath to a brick-based domicile at all, but the end goal is still pretty clear to any outside observer.

However as Signal makes clear, getting rid of end-to-end encryption is much more likely to harm everyone, without providing much help to law enforcement in the first place:

Bad people will always be motivated to go the extra mile to do bad things. If easy-to-use software like Signal somehow became inaccessible, the security of millions of Americans (including elected officials and members of the armed forces) would be negatively affected. Meanwhile, criminals would just continue to use widely available (but less convenient) software to jump through hoops and keep having encrypted conversations.

There is still time to make your voice heard. We encourage US citizens to reach out to their elected officials and express their opposition to the EARN IT bill. You can find contact information for your representatives using The Electronic Frontier Foundations Action Center.

Stay safe. Stay inside. Stay encrypted.

Filed Under: communications, earn it, encryption, intermediary liability, secrecy, section 230Companies: signal

View original post here:
Signal Speaks Out About The Evils Of The EARN IT Act - Techdirt

Due to the novel coronavirus situation, billions of people are currently working remotely, many for the first time in their lives. It could be out of personal fears of infection, in obedience of local social distancing regulations, or in accordance with company-wide policies, but the end result is an unexpected shift from the norm of working in the office to working from home (WFH).

Managing a workforce that has been suddenly transformed into a remote one is challenging on many levels, not least because of the need to maintain cybersecurity standards. Prior to the COVID-19 outbreak, many enterprises had yet to contemplate a mass work-from-home scenario, and they therefore lack the policies, devices, or processes to support it securely.

What's more, in recent weeks, companies have been scrambling to preserve their security profiles in the face of an uptick in malicious actors seizing the opportunity to hack corporate systems. That's the bad news. The good news is that you're not powerless. There are practical steps you can take to safeguard confidentiality and cybersecurity with a WFH workforce.

Here are a few of the basics.

Photo by Dan Nelson on Unsplash

A VPN (Virtual Private Network) is the first and most obvious way to secure your organization when employees are logging in from home. When people work from home, they use public internet or weakly-secured WiFi connections to access confidential data in your central database. They also share sensitive files, offering a golden opportunity for hackers to intercept data mid-stream.

A VPN uses strong encryption to create a "tunnel" for any interactions between your employees, and between your employees and your secure corporate network.

Atlas VPN, one of the biggest VPN providers, reports that VPN use has surged in areas with high numbers of coronavirus cases, such as Italy and Spain.

Ignorance can be your biggest danger. If you're used to dealing with a secure internal network, you won't always know where your vulnerabilities and weaknesses lie when it comes to remote access.

This kind of blindness can lead quickly to data breaches that you might not even be aware of until months after the event.

To resolve this issue, use tools like Cymulate's breach and attack simulation platform, which runs simulated attacks across remote connections to assess your cybersecurity risk levels. This can help you determine the extent to which your settings, defenses, policies, and processes are effective, and where you need to make changes in order to maintain a secure organization.

Photo by Mimi Thian on Unsplash

Employees are vital to your success, but they can also cause your downfall. According to security experts at Kaspersky, 52 percent of businesses acknowledge that human error is their biggest security weakness. What's more, some 46 percent of cybersecurity incidents in 2019 were at least partially caused by careless employees.

Employees can cause data breaches in multiple ways, like failing to use a secure connection to download confidential data, forgetting to lock their screens when working in a public place, or falling for phishing emails that install malware on their devices. In addition, your employees might be the first to know about a security breach but choose to hide it out of fear of repercussions, making a bad situation worse.

It's vital to invest time and energy in employee training to ensure that everybody knows how to reduce the risk of successful hacking attacks and is not afraid to report security incidents as soon as they occur. Frequent reminders, online refresher courses, and pop-up prompts help employees take security seriously.

Access controls are a vital layer of security around your network. Losing track of who can access which platforms, data and tools means losing control of your security, and that can be disastrous.

Even in "normal" times, 70 percent of enterprises overlook issues surrounding privileged user accounts, which form unseen entrances to your organization. As the WFH situation drags on, it's even more likely that access controls will lag, opening up holes in your perimeter.

In response, use role-based access control (RBAC) to allow access to specific users based on their responsibilities and authority levels in the organization. By monitoring and strategically restricting access controls, you can further reduce the risk that human error might undermine your careful cybersecurity arrangements.

Because most companies were not yet set up for remote work when the COVID-19 crisis hit, the lion's share of devices used to connect from new home offices are not owned or configured by employers.

And with employees more likely to use their own computers when working from home, endpoint attacks become even more serious. SentinelOne, an endpoint security platform, reported a 433 percent rise in endpoint attacks from late February to mid-March.

Although it can seem difficult to secure endpoints when employees are working remotely, it is possible. SentryBay's endpoint application encryption solution takes a different approach, securing apps in their own "wrappers," as opposed to working on a device security level.

Finally, weak passwords are a known gift for hackers. The problem only grows when employees work from home, as the contextual shift makes it easier for them to ignore reminders from your security team. They are also more likely to share or save credentials for faster remote access when it takes time to get a response from a newly remote security team.

If you don't already use a password manager to force employees to generate strong passwords and avoid sharing or saving credentials, now is the time to begin. CyberArk Enterprise Password Vault requires users to update passwords regularly, enforces multi-factor authentication (MFA) to reduce the chances of hackers entering your network through stolen passwords, and provides auditing and control features so you can track when someone uses or misuses an account.

Consumer password managers like LastPass and 1Password likewise offer business tiers with similar features.

With enterprises unprepared for mass remote working, industries worldwide could face a security nightmare. However, applying best security practices and using advanced tools to test for vulnerabilities, supervise access controls and password management, secure connections, and apply endpoint encryption can go a long way.

Make sure your employees know your security policies will help harden your attack surface, improve your cybersecurity posture, and prevent COVID-19 from causing a cybersecurity plague.

From Your Site Articles

Related Articles Around the Web

Read the rest here:
Aspects of cybersecurity not to overlook when working from home - Big Think

Crisis and the uncertainty andpanic that accompany it often opens doors to criminality, inviting bad actorsto prey upon our fears and anxieties. The global pandemic has unfortunatelyprovided such an opportunity, unprecedented in modern times: allowing hackersand scammers to take advantage of distracted governments and law enforcementagencies and of the disruption to increasingly anxious citizens routines tocarry out financial theft and money-laundering schemes.

Interpol has even issued an official warning over fraud schemes linked to COVID-19, detailing some 30 fraud types ranging from phishing attempts to phony sales calls. To make matters worse, our disrupted routines pose a serious challenge to fraud detection tools utilized by banks that analyze patterns in payment and money movement, making it much harder to detect truly suspicious behavior within a sea of false positives.

Financial crime was already amajor threat to the worlds economy long before the current health crisis. TheUN estimates that $1.7 trillion is laundered globally every year. Despite thevast sums that banks and financial authorities spend on tracking and combatingmoney laundering, only 1% of laundered funds are actually identified andseized.

Financial experts and regulatorsagree that one of the main reasons why enormous sums of money are being stolenand laundered each year is the lack of information sharing amongst the relevantbodies, leaving each institution with blind spots. And with fraudstersemboldened by the current crisis, the need for global inter-bank cooperation tothwart such widespread financial crime is greater than ever.

However, as great as the need is for inter-bank cooperation, banks in different countries and under different jurisdictions cannot collaborate effectively if they lack the ability to exchange data. Tightening data privacy regulations like the EUs General Data Protection Regulation (GDPR) and existing financial industry regulations on sharing pre-suspicious or suspicious information have obstructed banks efforts to run collaborative operations and leverage collective intelligence. Indeed, consumers, enterprises and governments justifiably fear the consequences of sharing individuals account and transaction data, regardless of the legitimacy of banks motivations.

The result: In the face of globalnetworks of financial criminals and money launderers, financial institutionsare effectively hamstrung, left to wage their fight on their own wheninformation sharing could provide them a true upper hand.

Fuelled by recent advances inPrivacy-Enhancing Technologies (PETs), financial crime experts and datascientists are leading groundbreakingresearch to devise solutions that can enable vital collaboration in the fightagainst financial crime, while simultaneously adhering to growing data privacyregulations. Homomorphic Encryption is one of these novel PETs, enablingorganizations to collaborate on and analyze data while it remains encrypted and thus protected from third-partyaccess that regulators and citizens alike so fear.

These innovative productsdesigned to help banks and financial authorities share data securely andefficiently are becoming market-ready. So, for example, to prevent fraudulentpayments, banks can deploy encrypted queries against each others databases,asking questions about suspicious accounts and transactions without everrevealing the contents of these queries as they remain encrypted throughout theinvestigative process. The outcome of these queries is actionable insightsthat will enable banks to weed out falsepositives and to focus their efforts on highly suspicious actors, increasingthe effectiveness of their investigations.

While manual information-sharingprocesses do currently exist such as the one authorized under section 314(b) of the USA Patriot Act,collaborative solutions based on PETs allow for more efficient, large-scale,automated information exchange, enabling effective, joint investigations basedon bilateral or multilateral collaborations. Such solutions also foster theestablishment of consortiums between banks and law enforcement such as the UKsCyber Defence Consortium (CDA), an early adopter of collaborative investigationmethods based on PETs.

Effective, regulation-compliant solutions for fighting widespread internationalfinancial crime are available now, and must be deployed in order to fight thisunfortunate side effect of the current pandemic. In todays volatile economicclimate, banks have an essential role to play in stemming the flow of this growing globalfinancial scourge and preventing fraud and financial crime from furtherdestabilizing global markets.

Summary

Article Name

Covid and Crime: Upping the Fight against Global Financial Crime in the Time of Corona

Description

Fuelled by recent advances in Privacy-Enhancing Technologies (PETs), financial crime experts and data scientists are leading groundbreaking research to devise solutions that can enable vital collaboration in the fight against financial crime, while simultaneously adhering to growing data privacy regulations.

Author

Dr. Alon Kaufman

Publisher Name

PamentsJournal

Publisher Logo

Read the original here:
Covid and Crime: Upping the Fight against Global Financial Crime in the Time of Corona - PaymentsJournal

While embarking on a digital transformation journey, firms need to ensure that their infrastructure meets the expected level of security

CEOshave always focused on implementing digital transformation journeys to deliver innovative business models, creating new digital customer experiences, and to optimize and automate processes to ensure enhanced business performance.

Are CIOs Investing correctly for Digital Transformation?

Despite all these advances, organizations are constantly under pressure to prevent attacks on digital technologies that are leveraged to transform the business. Enterprises need to fight cyber-threats and stop them from becoming a hurdle to their digital transformation initiatives. Data security needs to be part of the very fabric of every digital enterprise for them to transform.

Organizations need to move on to a digital transformation journey only once they are assured about their security framework, tools, and structure. Businesses can transform when they become secure to the core, with a defined framework in place to secure all digital transformation efforts.

Continuous monitoring

The first key pillar to secure digital transformation for organizations is to monitor everything across IT and operational technology in real-time. Enterprises today need to possess a plethora of security tools to strengthen their infrastructure across the increasing number of endpoints firewalls, networks, servers, devices, applications, storage, data, etc.

With the humongous volume of data generated each day, it is almost impossible for firms to identify and respond to the true cyber-threats. Enterprises need to be confident about fighting breaches by applying automation and intelligence to handle the enormous volume of incidents occurring across the globe.

Adobe Survey CIO Priorities are Changing Due to Rise in Remote Working

Verify and encrypt

In addition to monitoring,the other two critical activities IT teams need to ensure for securing theenterprise are verification and encryption.

For verification of IDs, firms need to adopt a zero-trust security approach to access and digital identity management. Identity and access management needs to be established conclusively as an essential parameter to strengthen the digital transformation efforts.

Encryption is essential to minimize the risk of unauthorized or unlawful processing of business-critical information. It serves to avoid destruction or damage to data or any other accidental loss. All sensitive data requires proper tokenization or encryption using trusted services, encryption solutions, and rights management to prevent data loss from malicious cyberattacks.

Having an effective defense system in place

A future-proof their cyber-defense mechanism is required for companies to be secure to the core. They need to adopt an approach that provides next-generation digital services. It has to run with an enhanced degree of automation through a security platform, applying lean processes, in-depth analytics, and incidence management processes. The underlying technologies described as SOAR security, orchestration, automation, and response are getting increasingly popular.

IDC describes such cybersecurity technologies as AIRO Analytics, Incident, Response, and Orchestration. The AIRO technologies trace the requirements in the Security Operations Center (SOC) to adequately protect the enterprise network with effective threat detection and formal remediation.

Technology and Automation Propels Process Change Workers Are Reluctant

Whether organizations decide to adopt SOAR or AIRO technologies, they must apply automation to cyber defenses to keep up with the massive volume of data and incidents generated across a wide array of endpoints and infrastructure.

The occurrence of cyberattacks on organizations has shot up, but the sophisticated methods to counter these heightened threats have also evolved at a similar pace. It is crucial for businesses to first get the security framework in place before embarking on their digital transformation journey.

Read the original here:
Firms Need to be Secure to the Core Before Considering Digital Transformation - EnterpriseTalk

Advertisement

Like many professors, "Karen Wilson" (not her real name) was teaching a college class online for the first time in late March, since the COVID-19 outbreak had sidelined in-person classes. She was using the videoconferencing platform Zoom for her presentation.

"Ten minutes into my lecture, I started hearing laughter and giggling. Then a voice drops into the classroom asking, 'What class is this?'" she says via email. When Wilson asked what was going on, "a couple of girls answered in unison that they were supposed to be in a high school online class, and they were confused. They asked a few questions and they promptly left."

But things were just getting started.

"A while later, another anonymous person, this time a male, started commenting about smoking marijuana and the kind of great weed he'd found last week. Only the audio was heard and he wasn't seen. I asked him to identify himself. When he would not, I asked him to leave which, thankfully, he promptly did."

She says that because she was brand-new to Zoom, the experience was confusing and disorienting.

"I wasn't sure where the audio was coming from and thought it might be background noise from one of my students," she says. "If I had been more familiar with Zoom, I would have immediately muted everyone's audio, but I was a newbie using it online. I had never considered other people could get the Zoom number and 'drop into' a classroom."

Wilson had just been Zoom bombed. Zoom bombing is shorthand for when strangers intrude on others' meetings on Zoom. Sometimes, these folks might just listen in without anyone knowing they're there. Other times, they totally disrupt the meetings in silly or even threatening ways.

Ultimately, Wilson was lucky. Other victims of Zoom bombing have been subjected to hate speech, profanities, threats and pornographic images.

But how could someone just "drop into" a private meeting?

"Zoom bombing is nothing more than enumerating different URL combinations in the browser," says Dan Desko, a cybersecurity expert from accounting firm Schneider Downs, in Columbus, Ohio.

He gives an example: To find a Zoom meeting, you enter the URL Zoom.us/ plus a string of numbers, which serves as the meeting identification number (e.g., https://zoom.us/j/55555523222).

"The problem becomes when people don't have their meetings protected by passwords, and just by flipping a couple of numbers," you could potentially get lucky and suddenly enter someone else's meeting, he says. "Now obviously, you'd have to do that at the right time [when] the meeting's taking place," he adds.

Just to test the flaw, he tried it himself. Within just a minute or so, he stumbled onto a legitimate meeting ID but the meeting wasn't happening at that particular moment. "It's technically sort of like wiretapping or being able to spy on somebody," says Desko.

But why would Zoom have this particular flaw? It was exposed partly because Zoom exploded exponentially in popularity during the coronavirus pandemic, going from 10 million daily users in December 2019 to 200 million daily users in March. The company simply wasn't prepared for the rush of people wanting to use it for classes, meetings and virtual happy hours with friends.

"Zoom is primarily a corporate collaboration tool that allows people to collaborate without hindrance. Unlike social media platforms, it was not a service that had to engineer ways to manage the bad behavior of users until now," says David Tuffley, a lecturer in Applied Ethics & SocioTechnical Studies at Griffith University in Australia, in an email interview. "Their user base has grown enormously, and there [is] bound to be bad behavior."

The sudden traffic surge exposed other security flaws, too, like dark web accounts and lack of encryption. The FBI put out an advisory warning of Zoom bombing on March 30. Some organizations have opted to ban Zoom. Google won't let its employees use it on their laptops. It's all fallout because Zoom failed to address its flaws quickly enough, says Desko.

"In information security and cybersecurity, we talk about three things: We talk about confidentiality, integrity and availability," says Desko. People want to keep their meetings (especially in business) extremely confidential.

Furthermore, he says, the Citizen Lab at the University of Toronto "showed that the encryption technology that Zoom purported to use wasn't as strong as they say [it was]. They're actually using an encryption technology that was fairly crackable."

It's something, he says, that will take months to fix. (Zoom hopes to do it in the next 90 days.)

And as for integrity?

As Zoom has expanded its server capacity, it has begun to use servers based in China, with Chinese employees. "There are a lot of people calling the confidentiality of the tools into question," Desko says. That's one reason the U.S. Senate asked members to refrain from using Zoom. The Pentagon also followed suit on April 10.

Since Zoom bombing became a problem, Zoom has changed its default settings so that every meeting is automatically assigned a required password to enter it; also, the "waiting room" feature is now automatically enabled when you set up a meeting. This prevents users from joining a call before they've been screened by you, the host. Finally, the meeting ID code is not shown in the title bar during a Zoom meeting.

Desko thinks these measures will go a long way to stopping Zoom bombing. "It's good to keep the meeting ID private so that people can't associate your meeting ID with you or your company," he says. "Or if you are a high-profile person like Boris Johnson, sharing his meeting ID [as he did on a tweet as part of a Zoom screenshoton March 31] was like sharing the address to the bat cave. Even though the bat cave is secure, it is now a specific target. The password is then key to keeping the meeting secure."

He adds that "If you want to be super-secure you should change up your meeting ID with every call and password too. There is a setting to generate a new meeting ID automatically and you can also set the password personally as well."

At the very least, make sure that Zoom's new security features have actually been enabled on the meetings you're setting up.

"If you have a [recurring] meeting set up already that used the old default, you have to go back into Zoom and update those," says Desko. "That's easy enough to do."

Another way to prevent outsiders from hijacking your meeting is to make the "share screen" option only available to the host. You also can mute the microphones of everyone but the host or the speaker and lock the meeting when everyone has joined to prevent break-ins. These features can be done on the Zoom toolbar. And finally, don't post a public link to your meeting that may invite unwanted guests to try to enter.

See the original post here:
Have You Been Zoom Bombed? Here's How to Stop It - HowStuffWorks

Jitsi.org Publishes Specification for Secure Video Meetings with True End-to-End Encryption; Now Open for Public Comment by Open-sourceDeveloper Community

88, Inc., a leading integrated cloud communications platform, announced the launch of 88 Video MeetingsPro. The solution is powered byJitsi, an open source community for secure video meetings technology sponsored by 88. The company also announced that Jitsi.org and 88 video meetings solutions will run on the Oracle Cloud Infrastructure, which offers optimized cloud security and performance, perfect for workloads like video meetings. In a separate event, the Jitsi community published a specification for true end-to-end encrypted WebRTC-based video meetings that is now open for public comment.

.@88 Raises the Bar with New Secure Video Meeting Solution; @OracleCloud to Power 88 Video Meetings and @jitsinews Services; @jitsinews publishes end-to-end encryption for meetings spec for comment

Secure video meetings are a critical part of the day-to-day work of everyone around the world, stated Vik Verma, CEO of 88, Inc. Our Video Meetings, powered by Jitsi open-source technology, are designed from the ground up with security and privacy in mind to give peace of mind so public and private organizations of every size can confidently use them to conduct confidential business meetings. This is true for all of our video meeting products, both paid and free. We collaborated with Oracle to further enhance our strong product and technology platform with Oracle Clouds top-tier security, performance and affordability. We are looking forward to further scaling our global reach with the Oracle go-to-market team.

88, a member of Oracle PartnerNetwork (OPN), also announced today that its 88 video meetings solutions, Powered by Oracle Cloud, will be available in the Oracle Cloud Marketplace. The Oracle Cloud Marketplace offers an intuitive user interface to browse and search for available applications and services, as well as user ratings and reviews to help customers determine the best business solutions for their organization.

Recommended AI News: Opinion: Young Jamaicans Invention Could Help Tackle Spread of Viruses Like COVID-19

Oracle Cloud delivers tremendous price-performance for resource-intensive applications like video meetings. As the world redefines working from home, video meetings are one of our fastest-growing workloads, and we are excited to have 88 and the Jitsi open-source community on our cloud infrastructure platform, said Vinay Kumar, Vice President, Product Management, Oracle.

Priced at $9.99 per user per month after a 30-day free trial, 88 Video MeetingsPro includes password-protected and randomly named meetings, real-time closed-captioning with post-call transcription, 60 days of cloud storage for meetings recordings, and the ability to easily secure authorized attendees through dial out features. More capabilities will be added, and 88 Video MeetingsPro is available today at88.comvia self-serve e-commerce.

The new solution is in addition to the currently available88 Video MeetingsFree, which is athttps://88.vc, and includes unlimited usage and international dial-in numbers in more than 55 countries.

Recommended AI News: The Digital Dollar Project Names 22 New Advisory Group Members

88 is the main contributor to theJitsi.orgopen-source solution, and the standalone and integrated versions of 88 Video Meetings are powered by Jitsi. The Jitsi.org code has been hardened with over a million downloads and is embedded in applications like banking video conferencing, education as a service platforms, and home security applications globally. 88 Video Meetings utilizes the WebRTC standard which enables attendees to instantly join meetings without any downloads or plugins.

88 Video Meetings is also packaged with88 X Seriesmeeting the needs of businesses with a mobile and remote workforce by providing a highly reliable and resilient solution across desktop and mobile devices for voice, video conferencing, chat,contact center, APIs and advanced analytics built on an open cloud technology platform. This allows companies to rapidly unify a distributed workforce and enable flexible workstyles. It is also offered with88 Express, which is for small organizations and teams that require a complete, preconfigured business phone system with a dedicated business number, video meetings and messaging in a single desktop and mobile application.

88 will host a webcast on Tuesday, April 14, 2020 at 10 am PT / 1 pm ET with Ray Wang, Principal Analyst, Founder and Chairman of Constellation Research, and Emil Ivov, Ph.D., Founder of the Jitsi.org open-source project and the head of 88 Video Collaboration, to discuss 88 video meetings solutions, the importance of open-source video security for all, and why todays encryption and upcoming advanced capabilities are critical for highly-sensitive information and meetings.

Recommended AI News: AiThority Interview with Josh Poduska, Chief Data Scientist at Domino Data Lab

Continue reading here:
8x8 Raises the Bar with New Secure Video Meeting Solution; Oracle Cloud - AiThority