On November 5, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that a New York Medical Center (Medical Center) will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying a civil penalty of $3 million and entering into a Corrective Action Plan. The Medical Center is a HIPAA covered entity that includes hospital and academic medicine components.

According to OCR, the Medical Center had experienced several issues with lost or stolen unencrypted devices. OCR investigated the Medical Center in 2010 in a matter relating to an unencrypted flash drive and had provided technical assistance to the Medical Center. In the course of receiving that technical assistance, the Medical Center identified a lack of encryption as a high risk to its electronic protected health information (ePHI). Despite identifying this risk, the Medical Center continued to allow the use of unencrypted mobile devices. In 2013, the Medical Center notified OCR of the breach of unsecured ePHI, specifically the loss of an unencrypted flash drive. In 2017, the Medical Center notified OCR that an unencrypted personal laptop that contained Medical Center ePHI had been stolen, which resulted in the Medical Center impermissibly disclosing the ePHI of 43 patients.

OCR did not consider the risk analysis conducted by the Medical Center to be an accurate and thorough analysis of all potential risks and vulnerabilities to the confidentiality, integrity and availability of all of the ePHI the Medical Center was responsible for safeguarding. Further, OCR determined that the security measures implemented by the Medical Center to reduce risks and vulnerabilities to a reasonable and appropriate level were insufficient. OCR further found that the policies and procedures governing hardware and electronic media, including receipt and removal and movement of such hardware and electronic media in, out and within the Medical Center were also insufficient. Finally, OCR determined that the Medical Center did not implement mechanisms that were sufficient to either (1) encrypt and decrypt ePHI, or (2) document why encryption was not reasonable and appropriate while implementing an equivalent alternative measure to safeguard ePHI.

The Corrective Action Plan requirements include conducting a risk analysis, developing and implementing a risk management plan and updating policies and procedures and training materials.

Practical Takeaways

As a result of this enforcement action, covered entities and business associates should take note of the following:

More:
Failure to Encrypt Hardware Results in $3 Million Fine - Lexology

Heres what you need to know about the debate overend-to-end encryption

Its that time of the year when we grab ourpopcorn and witness another chapter in the age-old battle between governmentsand tech companies. Once again, governments are attacking tech companies forgiving criminals a safe place for their communication, while thecompanies say they are protecting privacy.

After Apple and WhatsApp, Facebook is the latest platform to make the headlines in the ongoing encryption debate end-to-end encryption to be precise. In an open letter addressed to Mark Zuckerberg, co-founder & CEO of Facebook, the governments of the U.S., U.K. and Australia have asked the social networking giant not to proceed with its plans to implement end-to-end encryption across Facebooks messaging services. And not only that, theyve also reaffirmed their request for a backdoor in the encryption of messaging services.

But before you form any opinions on this situation, its essential to know what end-to-end encryption is and what it does.

Lets hash it out.

Well get to end-to-end encryption in abit but before that, lets first understand what encryption is and what itdoes.

Consciously or unconsciously, we all sendand receive a lot of information when we use the internet through our devices.And some of this information is confidential (passwords, financial information,personal photographs, etc.) and could cause a lot of damage if someone stealsor tampers with it. So, how do we make sure that no one does that? Well, thisis where encryption comes in.

Encryption is the technique that turns ourdata into an undecipherable format so that no third party can read or alter it.Its what keeps us safe in the ocean of the internet.

Heres an example of a phrase of textthats been encrypted:

As you can see, theres no way to figureout what the encrypted text means unless, of course, you have the private keyto decrypt it.

Facebook Messenger already uses encryption just not end-to-end encryption. Normal encryption (a.k.a. link encryption)works like this:

Note that in this scenario, Facebookcontrols the encryption/decryption, and Facebook has access to the decryptedmessage.

Now, lets get to end-to-end encryption. Its precisely what it sounds like end-to-end encryption facilitates the type of encrypted communication that only the sender and receiver can read/see. No one in the middle including Facebook, the government, or another messaging service provider can read/decrypt messages being sent from one device to another.

In other words, the messages you send aredecrypted at the endpoint of the communication the device youre sendingmessages to. The server youre sending the data through (i.e. Facebook) wontbe able to decrypt or view your messages.

The distinction between the two is that while normal or link encryption encrypts the data, the server transmitting information between two devices has the ability to decrypt the encrypted data. End-to-end encryption, on the other hand, uses the server to transmit the data (how else would the data transfer take place?), but it doesnt allow the server to decrypt the data. Therefore, the server is just a medium that facilitates data transfer of encrypted information. Hence, WhatsApp or any other end-to-end encrypted app wont be able to read your information (even if they want to).

Security professionals and privacy experts largelysupport the idea of end-to-end encryption because it better protects your datafrom hackers and other parties who may want spy on you. When you allow the datatransmitter (the messaging service provider in this case) to decrypt yourmessages, youre leaving a significant potential security hole that could causeproblems if the server is compromised, hacked, or surveilled.

If the information is protected end to end,though, theres no point in intercepting information halfway down the line asits in an encrypted format. Thus, it protects the privacy of millions ofpeople and assures them that no one not even the messaging service itself could read their private information. For this reason, experts (includingorganizations such as the Electronic Frontier Foundation (EFF), the Center forDemocracy & Technology, and others) are advocating for the use ofend-to-end encryption in messaging apps.

The main argument against end-to-endencryption (and in favor of link encryption) is that end-to-end encryption createsa safe space for criminals to communicate where theres no thirdparty who can read and perform security checks on their messages. In otherwords, the technology thats supposed to protect the privacy of millions ofpeople and businesses protects the confidentiality of criminals as well.

Im not saying that Im in favor of thisargument, but it undeniably does hold some water. If the server was able to decryptthe data, we can have a system that would help in catching the bad guys. In thecase of end-to-end encryption, this option is gone. I dont know what othermotives they may have, but this is the argument that the governments of the U.S.,U.K., and Australia are using to do away with end-to-end encryption.

While the argument made by variousgovernments might make sense to a certain extent, theres always a questionmark regarding their full intentions. Do they care about the crimes that may behidden because of end-to-end encryption, or are they crying foul in order toserve a bigger agenda: having the power to easily spy on people?

So far, seeing the evidence thatsavailable to us, both seem likely to be true.

And its worth noting here that EdwardSnowden, the famous National Security Agency whistle-blower, previouslyrevealed that the intelligence services in the U.K. and U.S. had beenintercepting communications through various channels for many years on a massscale. So, where do you draw the line as far as governments interference isconcerned? Encryption can be used for good and for bad, but so cansurveillance!

If youve been following this entire encryption saga, you must have stumbled across the term backdoor.

Basically, a backdoor is a mathematical feature of the encryption key exchange that could decrypt the end-to-end encryption, and no one knows about this except the ones who made it (the messaging service). In popular words, its like a secret key. So when, lets say, a judge orders a warrant to hand over certain information in a decrypted format to the government, the messaging app (or the government agency) could use this backdoor to give your decrypted information to the government.

But, again, this comes with a danger a massive one. What if this powerful tool falls into the wrong hands? If a cybercriminal somehow gets hold of this secret key, they could have access to all of your private pictures, messages, etc. and do who knows what with them! And thats why creating a backdoor could be even more dangerous than concerns about standard encryption.

Dont Get Breached

91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.

Implementing end-to-end encryption wouldmean that even Facebook itself wont have access to the information beingshared through its messaging service. This seems quite contrary to the businessmodel that Facebook has built around data monetization.

So, why doesnt Facebook want the data? Doesit really care about privacy, or is there something else hiding behind thecurtain?

One possible reason why Facebook plans to implement end-to-end encryption is to simply move away from the pressure of law enforcement, court orders, warrants, and controversies. Currently, Facebook uses artificial intelligence (AI) and a team of human moderators to monitor the content and messages sent via its platform. They then report suspicious communication/content to authorities. This content moderation system is the source of a lot of expense, negative news coverage and even lawsuits for Facebook.

With end-to-end encryption in place, this couldall go away because Facebook wont be able to decipher the communication. Theycan simply say sorry, we cant access the content even if we want to. Thatcould save Facebook a lot of time, money, and hassle.

Considering that Facebook has already implemented end-to-end encryption in WhatsApp, the most extensively used messaging service that it owns, it seems likely that end-to-end encryption will be implemented in Facebooks other services as well. The question is what happens next? I expect the governments championing the call to eliminate end-to-end encryption to shift gears and attack the tech companies with more ferocity. Further down the road, this never-ending battle could spark into a fire, and ordinary users could be its witnesses or become engulfed in it.

As always, leave any comments or questions below

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/end-to-end-encryption-the-good-the-bad-and-the-politics/

See the original post:
End-to-End Encryption: The Good, the Bad and the Politics - Security Boulevard

There is an unprecedented demand for enterprises to optimise resources, become more agile and digitally transform at pace. They have to do it safely too, maintaining strong security policies that ensure frictionless business operations.

As technology continues to evolve, so too does the threat landscape. Security defences and risk mitigation strategies need constant attention.

Malware is a notable example why and one of the biggest threats facing todays businesses.

The problem may have been around for a while but its constantly mutating forms and attack vectors are more nuanced than ever. There is a new level of pressure on business security defences.

Typical methods to safeguard against malware include sandboxing, data loss prevention (DLP), Intrusion Prevention Systems (IDS) and web gateways.

That isnt always enough, however, particularly with the increasing influence of Secure Sockets Layer (SSL) reducing visibility of traffic flowing between the web server and browser.

SSL is an industry standard that protects online transactions between organisations and their customers. All data passing between browser and web server stays private and integral.

One of the main reasons malware is such a concern is its ability to hide within this encrypted traffic and go undetected. Businesses often only have visibility over the unencrypted traffic, which can range from 25 - 50per cent of the total amount. Unfortunately, decrypting and re-encrypting traffic between each prevention system would take too long, not to mention cause latency issues and a decrease in performance.

A vivid example of modern malwares disruptive abilities is the Man-in-the-Browser attack, whereby it shims itself between a browser and the encrypted SSL layer.

Imagine if an employee is logging in from their SSL VPN at home, likely using a domain username and password to access the company server. All this captured by malware. The information would then be sent to C&C (Command & Control) servers where the details are compromised. An outsider now holds the keys to the kingdom and can gain access to the enterprise system. A perfect opportunity to drop in some more malware and exfiltrate sensitive company data.

While big problems inevitably arise from malware hiding in SSL traffic, there are ways to stay safe without compromising operation agility.

F5 technology can solve provisioning and performance challenges via orchestration that automates workflows and the process of encrypting and decrypting SSL-encrypted traffic. Meanwhile, F5s Forward Proxy SSL feature gives the Application Delivery Controller (BIG-IP) an ability to optimise SSL-secured communications that are directly authenticated by the user. The result is greater control in securing the traffic, while also allowing for improved latency and faster performance. As the administrator, F5 can define different security service chains for the traffic being sent from the web server to the browser. In other words, businesses get their visibility back.

For more information, visitf5.com/security

Keiron Shepherd is principal systems engineer with F5 Networks

See original here:
Malware and the encryption conundrum - Irish Times

Facebook is reportedly working on enabling encrypted video and audio calls in Messenger.

App researcher and enthusiast Jane Wong found out about the unreleased feature. They shared via Twittera screenshotof a Secret Conversation with audio and video call icons on the top corner. It also says the calls will be "end-to-end encrypted across all your active mobile devices."

Extending capabilities

The encrypted video and audio call feature will be an extended capability of the secret conversations released in 2016.

Messages sent in "secret conversations" are end-to-end encrypted. It means that only the sender and the receiver have access to the messages. Not even Facebook can see them. Additionally, the messages will only be available on selected devices. Users can also set timers that will make the messages disappear after the indicated period.

The secret conversation feature of Messenger uses the same protocol as Signal, an open-source privacy-focused messaging app developed by Open Whisper Systems.

Facebook rolled out this feature to protect users when discussing private information, which may be related to health issues, illnesses, or when sending financial information. With the addition of encrypted audio and video calls, the feature will have more use cases.

However, it is still unclear if and when the extended capability of the secret conversation feature will be released.

Expected Resistance from Governments

Should Facebook enable end-to-end encrypted audio and video calls, they can expect opposition from various governments.

In anopen letter, government officials from the United Kingdom, the United States, and Australia called on Facebook to stop their plans for end-to-end encryption across their messaging app.

According to them, "companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes." Law enforcement agencies fear that encryption of the messaging apps will prevent them from investigating illegal activities conducted via Facebook and similar apps.

However, Facebook frowned upon this proposal of governments to build backdoors in their apps. In a closed-door meeting with employees, Mark Zuckerberg, CEO of Facebook, said: "We think it is the right thing to protect people's privacy more, so we will go defend that when the time is right."

A Privacy-Focused Approach

Facebook did not have a reputation for protective privacy services, so the company's turn to a privacy-focused approach made headlines. In apostby Zuckerberg, he explained his belief that "the future of communication will increasingly shift to private, encrypted services." People will want a world where they can speak privately and live freely.

Their privacy-focused platform was built around seven principlesincluding private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.

Many believed this platform is a response to the revelation that Facebook let Cambridge Analytica, a British election consultancy, harvest the data of 87 million Facebook users.

2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.

Read the original:
Facebook May Enable Encrypted Audio and Video Calls - Tech Times

WhatsApp, pushed onto the backfoot after a Israeli firm's spyware infiltrated the messaging service and compromised users' phones, has gone on the offensive with an assertive statement aimed at the government and the makers of phone software.

On November 5, the Facebook-owned company defended its 'end-to-end' encryption, suggesting pushback on another issue where it is locked in a battle with the governmentthe traceability of messages on social media.

WhatsApp also took a potshot at Google and Apple, saying that vulnerabilities in phone operating systems allowed the Pegasus spyware of Israel's NSO Group to gain complete visibility of infected phones. Most phones run Google's Android or Apple's iOS software.

"Unable to break end-to-end encryption, this kind of malware abuses vulnerabilities within the underlying operating systems that power our mobile phones," the statement said.

The spyware, Facebook says, was installed through a WhatsApp call routed by NSO over Whatsapp servers. This was accomplished by reverse-engineering Whatsapp and tricking the server into believing that spyware code was Whatsapp traffic. Therefore, technically, the end-to-end encryption feature was not broken.

The wholesale compromise of infected phones by Pegasus came to light after Facebook sued NSO Group in a US court. More than 1,400 phones and devices have apparently fallen victim globally, with 121 of them in India - the main targets being human rights activists, journalists and lawyers.

NSO says Pegasus is sold only to governments.

The pushback on end-to-end encryption is significant because the government has been insisting that Whatsapp and other messaging providers allow for traceability of messages so that government agencies can track down the origin of messages. This, the government says, is necessary for law-enforcement agencies fighting crimes like terrorism, child pornography or the propagation of hate speech.

But Facebook's position is that it is not possible to work traceability into its software without compromising on end-to-end encryption which ensures that only senders and receivers of messages have the keys to unlock and read those messages.

The Supreme Court has transferred to itself a number of petitions on the issue of traceability. Hearings are due to begin in January 2020.

On November 3, in its response to government questions, Whatsapp said that in May it was not certain that the attack was launched by the NSO Group. But, WhatsApp had found out the vulnerability on April 29, and informed the government in May.

"That time even WhatsApp was not aware that it was the NSO Group and Indians were affected," said a source at WhatsApp.

Echoing its lawsuit, Facebook has told the government that the NSO Group violated WhatsApp's terms and conditions.

WhatsApp in its US case filing, which was sent to the government, also mentioned that the NSO Group leased servers and internet hosting services in different countries, including the United States, in order to connect the target devices to a network of remote servers intended to distribute malware and relay commands to the target devices.

See the article here:
Exclusive | WhatsApp says its encryption works fine, swipes at Google and Apple - Moneycontrol

Ward 2 Councillor Bill Gordon was formerly in charge of IT at the Midland Police Services, and is now being sued by the town of Midland for not handing over the encryption key for the Midland Police Services servers.

Ryan Carter/The Globe and Mail

Ever since the Ontario Provincial Police took over patrolling duties in the small town of Midland, by the scenic shores of the Georgian Bay, the computer servers of the defunct local police service have sat idle in a municipal building monitored by security guards.

No Midland official has been able to see the content of these three servers because they were encrypted before they were handed over to the town.

In an unusual modern, digital twist to small-town politics, Midland is now suing its former police chief and a town councillor in a bid to recover the encryption key that would unlock the computers.

Story continues below advertisement

The dispute, which follows the towns decision to disband its police force and replace it with the OPP, underlines the legal and ethical challenges that arise when disposing of electronic records and e-mail archives.

The town is portraying former police chief Mike Osborne and Councillor Bill Gordon, who also was the Midland polices IT manager, as rogue ex-employees who have taken public records hostage.

The two men, however, argue that municipal employees have no business poking into confidential files that hold details about past investigations, suspects names, victims statements or information about young offenders.

Unlocking the computers would also enable the town to see Mr. Osbornes past e-mails, which potentially hold information that could be used in civil suits embroiling the former top cop and Midland.

Midlands court application against Mr. Osborne and Mr. Gordon, which was filed earlier this fall, is the latest move in a three-way legal battle that also involves a law firm claiming unpaid legal fees from the town.

This is a very precarious situation, ethically and legally, that were in. Its unprecedented, Councillor Jonathan Main said during a lengthy town council debate on Aug. 14 preceding a vote to sue Mr. Osborne and Mr. Gordon. ... its truly unfortunate that we got to this place where we are.

While council discussed whether to sue him, Mr. Gordon sat in the audience, having removed himself from the debate to avoid a conflict of interest.

Story continues below advertisement

Story continues below advertisement

In a court affidavit, he said that, as a civilian employee and special constable of the Midland Police Service, he had taken an oath of secrecy preventing him from releasing the encryption key until he was sure that confidential records would be properly handled.

Mr. Gordons court filings allege that the towns bid to access the computers is motivated by its desire to get its hands on Mr. Osbornes e-mails. The town has done nothing to mitigate. In fact, it has charged ahead with litigation, he said in court papers. He further noted that the town has a poor record for computer security, having to pay a ransom after a hacker shut down Midlands computer systems for weeks last year.

The town, however, says it now has responsibility for police records that were not transferred to the OPP or the province. The town of Midland becomes the custodian of that information. Were not doing anything less. Were not doing anything more, town lawyer Amanpreet Singh Sidhu told the Aug. 14 council meeting.

Midland is a community of 17,000 people, 160 kilometres north of Toronto. According to its court application, the town began considering whether to contract the OPP in the early 2010s.

Mr. Osborne was unhappy about the move. In a claim filed against the town, the former police chief alleges that supporters of the OPP takeover ran a smear campaign against him.

Eventually, the town voted to contract the OPP, which took over on Feb. 8, 2018. That same day, the law firm Johnston & Cowling LLP sued Midland and its police service board, saying it was owed $355,000 in unpaid fees and interests.

Story continues below advertisement

Most of that sum stemmed from a disciplinary prosecution against a Midland police officer. In a counterclaim, the town blamed Mr. Osborne for overshooting the $100,000 annual budget for legal expenses.

A police officer speaks with a citizen in front of the Ontario Provincial Police office building in Midland, Ont., on Oct. 2, 2019.

Ryan Carter/The Globe and Mail

Mr. Osborne responded with his own suit, alleging that the police service board chair, George Dixon, was a friend of the officers uncle, had discussions with the officer and meddled in the case, driving up legal costs.

Mr. Osborne and his lawyer didnt answer requests for comments from The Globe and Mail.

Mr. Dixon denies the allegations, explaining that his contacts with the officer and his uncle stemmed from the close-knit nature of the town.

In a statement e-mailed to The Globe, Mr. Dixon said he was acquainted but not socially close to the officers uncle, who is well known in the community. He said he met the officer to discuss other matters, because the man was also a union representative.

As for his intervention in the file, Mr. Dixon said I was interested in avoiding potential future liability claims by the officer once Midland Town Council decided to opt for OPP policing.

Story continues below advertisement

In another document, a letter he sent to council, Mr. Osborne alleged that the efforts to access the computer servers were an bid to pry into his e-mails. It is personal, and Chair Dixon has expressed his wish to read our e-mail, he said in the Aug. 17, 2018, letter.

Mr. Dixon said the e-mails are business records of the Midland police and not personal property of employees. The law firms invoices refer to e-mails from Mr. Osborne, Mr. Dixon said. Defending the Johnstone & Cowling lawsuit requires the board and its legal advisers to know about the communications on these files.

Correspondence tabled at council shows that Mr. Sidhu asked the OPP to charge Mr. Osborne and Mr. Gordon. However, a senior counsel for the provincial police said in an April 3, 2019, letter that they wouldnt intervene. The dispute ... cannot be resolved by the OPP," he wrote.

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the days most important headlines. Sign up today.

See the article here:
Ontario town of Midland takes legal action in bid to unlock encrypted local police servers - The Globe and Mail

The research study on Global AES Encryption Software Market organizes the overall perspective of the industry. Thisincorporates upcoming flow of the AES Encryption Software market together with an extensive analysis of recent industry statistics. It describes the AES Encryption Software market size as well as factors controlling market growth. Likewise, the report explains various challenges which affect AES Encryption Software market expansion. The report reviews economic prominence of the AES Encryption Software industry around the globe. The report offers a crucial understanding of entire AES Encryption Software market dimensions and evaluation during period 2019 to 2024.

The research study provides excellent knowledge of the worldwide AES Encryption Software market structure. Further, it evaluates qualitative and computable information of AES Encryption Software market. In addition analysis of the AES Encryption Software market scenario and future prospects are given. The AES Encryption Software report initiate with the introduction and represents the AES Encryption Software market data in a specific and clear manner. This study covers all the essential information regarding the world AES Encryption Software industry which helps a user to grasp the overall market. Also, AES Encryption Software report gives the readers with an approach to the competitive scenario of the AES Encryption Software market.

Request for a free sample report here https://www.orbisreports.com/global-aes-encryption-software-market/?tab=reqform

The key players examine the AES Encryption Software market in new regions by inspecting different techniques. This includes mergers & acquisitions, AES Encryption Software expansions, investments, new service launches. Similarly, they adopt distinct AES Encryption Software strategies such as collaborations, agreements etc. The leading vendors of AES Encryption Software market are:

DellEsetGemaltoIBMMcafeeMicrosoftPkwareSophosSymantecThales E-SecurityTrend MicroCryptomathicStormshield

The AES Encryption Software study covers extensive analysis of types and applications up to the present time. In upcoming years the European region is predicted to account for the largest share, in terms of value, in the AES Encryption Software market. There is a steady increase in demand, particularly for AES Encryption Software due to a continuous increase in domestic consumption. Asia-Pacific region indicates significant growth potential for the AES Encryption Software industry. The report also analyzes the AES Encryption Software market in North America, South America, Middle East and Africa.

AES Encryption Software Market Types Are:

On-premisesCloud

AES Encryption Software Market Applications Are:

Disk EncryptionFile/folder EncryptionDatabase EncryptionCommunication EncryptionCloud Encryption

For more Information or Any Query Visit: https://www.orbisreports.com/global-aes-encryption-software-market/?tab=discount

The report gives a thorough summary of the AES Encryption Software market. It covers present market trends and developments coupled with segmentation of the AES Encryption Software industry. Similarly, it delivers Past, present, and future AES Encryption Software market analysis in terms of value and volume. It additionally provides statistical data analysis of the AES Encryption Software industry globally. The report serves dominant segments as well as sub-segments along with AES Encryption Software market share. Moreover, the study focuses on AES Encryption Software market key players with their strategies. Thus the report helps to understand the AES Encryption Software market thoroughly.

Go here to read the rest:
AES Encryption Software 2019 Global Trends, Market Size, Share, Status, SWOT Analysis and Forecast to 2024 - Downey Magazine