« First...102030...2,0062,0072,0082,0092,010...2,0202,0302,040...Last »

Bruce Schneier and Edward Snowden @ Harvard Data Privacy Symposium 1/23/15 – Video

Posted on by


Bruce Schneier and Edward Snowden @ Harvard Data Privacy Symposium 1/23/15
Bruce Schneier, Harvard Berkman Center Fellow, talks with Edward Snowden about government surveillance and the effectiveness of privacy tools like encryption to an audience at Harvard #39;s School...

By: Harvard Institute for Applied Computational Science

See the original post here:
Bruce Schneier and Edward Snowden @ Harvard Data Privacy Symposium 1/23/15 - Video

US spy program has financial, security impacts, says Snowden

Posted on by

The U.S. National Security Agency needs to consider the repercussions of its spying on electronic communications and data, especially how that impacts U.S. economic interests, former NSA analyst Edward Snowden said today.

Theres a big question on if the potential intelligence we gain is worth the effort. Theyre reducing the trust of the security in American products. This is critical in American industry. It has a real cost, not just moral but financially, said Snowden, speaking Friday via video at a Harvard University conference on privacy in a networked society. He also said the NSA must understand that the methods it employs to secretly collect data can also be used against the U.S.

Snowden made international headlines in 2013 after releasing classified U.S. government documents that detailed the NSAs extensive spying programs. Some of those documents, which are still being released, showed that the NSA placed or attempted to insert back doors in hardware, software and Web services from U.S. tech companies. This discourages potential customers and has cost the U.S. at least US$35 billion, said Snowden, citing studies.

Snowden now resides in Russia after the country granted him a three-year residency permit in 2014, as he expects to be prosecuted for his disclosures by the U.S.

Using encryption is still the best way to keep data private, said Snowden. The leaked documents show that the NSA still struggles to break encryption programs like PGP and Tor. Instead of trying to crack encrypted data, the NSA looks for other ways to obtain the information.

When they do attack, it is through a weakness. The wall is high so rather than go over it, they want to go around it or under it, Snowden said.

Exploiting a weak point, like a zero-day vulnerability, is one way that the NSA gets around encryption. With many governments, companies and people using the same technology, the same exploit that the U.S. government uses can also be used by another entity to attack the U.S. And while both countries may use the same exploit, the value of the data they acquire varies tremendously, he said.

Snowden offered the example of North Korea, whose government computer systems the NSA has been able to hack since 2010. Despite having this access, the U.S. missed information on missile launches, leadership changes and a recent hack that targeted Sony. The massive attack, which exposed sensitive information from the companys entertainment division, allegedly came from the reclusive, Communist nation. The U.S. gained very little information while North Korea was able to attack core U.S. beliefs.

If we have a weak end point and they hack us once, it doesnt matter if we hacked them 10 times. If they hack us once, because they have that one common standard, theyre far, far ahead. With Sony, everyone in the country is saying that they are attacking our basic values. It was so much [more] valuable for them than for us, he said.

As for who the NSA hires to carry out its hacks, theyre not mystical hacker steroid guys. A great portion of them are junior enlisted military guys, Snowden said, adding that their training isnt exceptional. This explains why the NSA publishes detailed guides on how its staff obtains information.

Go here to read the rest:
US spy program has financial, security impacts, says Snowden

Wide-Spread SSD Encryption is Inevitable

Posted on by

TORONTO The recent Sony hack grabbed headlines in large part due to the political fallout, but its not the first corporate enterprise to suffer a high profile security breach and probably wont be the last.

Regardless, its yet another sign that additional layers of security may be needed as hackers find ways to break through network firewalls and pull out sensitive data, whether its Hollywood secrets from a movie studio, or customer data from retailers such as Home Depot or Target. And sometimes its not only outside threats that must be dealt with; those threats can come from within the firewall.

While password-protected user profiles on the client OS have been standard for years, self-encrypting SSDs are starting to become more appealing as they allow for encryption at the hardware level, regardless of OS, and can be deployed in a variety of scenarios, including enterprise workstations or in a retail environment.

In general, SSDs are becoming more common. SanDisk, for example, is bullish about adoption by average notebook users, while like many other vendors, optimizing its enterprise SSDs for different workloads. Samsung, meanwhile, has added new security features to its self-encrypting drive (SED), the 840 EVO SSD, making it compatible with professional security software employed by enterprise organizations, as it expects encrypted SSDs to become standard. Beyond SEDs themselves, there are the vendors such as Wave Systems and WinMagic that offer software to manage the encryption of SSDs on a wide scale.

A survey by the Storage Networking Industry Association presented at last years Storage Visions Conference found users lacked interest in built-in encryption features for SSDs, particularly in the mobile space. One of the chief concerns they had when adding features such as encryption to MCUs and SSDs is their effect on performance. Even though many SSDs being shipped today have data protection and encryption features built in, often those capabilities are not being switched on by OEMs, due to the misconception that encryption can reduce performance.

Ritu Jyoti, chief product officer at Kaminario, said customers are actually requesting encryption as a feature for its all-flash array, but also voice concerns about its effect on performance. They do ask the question. Customers in the financial services sector in particular are looking for encryption on their enterprise SSDs, she said, driven by compliance demands, as well as standards outlined by the National Institute of Standards and Technology.

Kaminario recently announced it had added always-on, data-at-rest encryption capabilities to its K2 all-flash array, but Jyoti said interest in encryption features has been expressed by the companys customer base for several years. She said the K2 encryption uses 256-bit AES keys technology and requires administrative authorization for access, ensuring no data is available on drives after deletion through a cryptographic SSD erase feature.

To address performance concerns, Kaminario leverages Samsung SEDs as well as its own architecture, which support non-disruptive software and hardware upgrades so encryption can be added without downtime or loss of data.

Jyoti said SEDs and encryption of all-flash arrays have become a growing trend in the enterprise. They are going to become the defacto standard very quickly.

George Crump, president and founder of research firm Storage Switzerland, recently blogged about Kaminarios new all-flash array and addressed its new features, including encryption, which he wrote is critical for flash systems in particular because of the way controllers manage flash. When NAND flash cell wears out the flash controller, as it should, it marks that cell as read-only. The problem is that erasing a flash cell requires that null data be written to it, he wrote. But how do you do that if the flash controller had previously marked the cell as read-only? If you cant erase the data, but you can read it, then some enterprising data thief may be able to get to your data.

Link:
Wide-Spread SSD Encryption is Inevitable

EU swings behind David Cameron’s encryption plan – as party grassroots voice opposition

Posted on by

The European Union is swinging behind Prime Minister David Cameron's policy to enable national governments to read all encrypted communications - at the same time that his own Conservative Party grassroots are starting to come out against the idea.

In a paper leaked to privacy group State Watch, the General Secretariat of the Council of the European Union, EU counter-terrorism coordinator Gilles de Kerchove wrote:

"Since the Snowden revelations, internet and telecommunications companies have started to useoften de-centralised encryption which increasingly makes lawful interception by the relevantnational authorities technically difficult or even impossible."

He wants the EU to have the power to force internet companies to tap their communications as part of a new strategy to combat terrorism. The paper was drawn up following the Islamist terrorist attacks on the French satirical magazine Charlie Hebdo and a Jewish supermarket in Paris.

He continued: "The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys)."

A spokesperson for de Kerchove declined to comment, according to EurActiv.

At the same time, though, the Conservative grassroots has woken up to oppose Cameron's widely derided encryption and internet surveillance proposals - which he also put to US President Barack Obama in his recent trip to Washington DC.

Writing on Conservative Home, former Cambridge University Conservative Association officer Andrew Bower, who now works in Cambridge's technology industry, roundly criticised the Prime Minister's plans. "Encryption is ubiquitous in our everyday devices and the commercial services that enable them," he wrote.

He continued: "Encryption is not just for the bad guys. The online world makes our assets and identity vulnerable. Encryption as part of a well-designed security model is essential to enabling and giving confidence to banking transactions and commerce today.

"By mobilising against encryption the government is contradicting the advice of its Information Commissioner on data protection for organisations and its own advice to the general public about being safe online."

Read this article:
EU swings behind David Cameron's encryption plan – as party grassroots voice opposition

NIST pledges transparency in NSA dealings over crypto standards

Posted on by

The agency says it will disclose all contributions from the National Security Agency

A U.S. agency that develops widely used standards for encryption has pledged to be more transparent about its dealings with the National Security Agency, amid concerns the NSA undermined those standards to boost its surveillance efforts.

The National Institute of Standards and Technology outlined new proposed operating procedures in an updated draft published Friday. It's seeking public comments on the proposal through March 27.

The document follows a report last July from independent security experts who concluded NIST had put too much faith in the NSA in developing cryptographic standards.

"The new draft expands on NIST's interactions with the National Security Agency (NSA), explaining how the agencies work together and what steps are now in place to ensure NSA's contributions to the standards development process are transparent," NIST said.

"The new processes will ensure that NIST attributes to the NSA all algorithms, standards or guidelines contributed by the agency's staff, and acknowledges all comments received from the NSA."

NIST has been in the spotlight since 2013, when reports based on leaked documents from Edward Snowden claimed the NSA used its influence over NIST to insert a backdoor in at least one cryptographic standard and possibly to weaken others.

Last February, NIST appointed an independent panel of technologists review its practices, including Ed Felten, a computer scientist at Princeton University, Ron Rivest, an MIT professor, and Internet pioneer Vint Cerf, who works at Google.

They concluded that NIST needed to hire more cryptographic experts and reduce its reliance on the NSA for decisions about standards.

Friday's proposal reflects the feedback in that report and from public comments on the first draft, which was published last February and said much less about NIST's work with the NSA.

See the rest here:
NIST pledges transparency in NSA dealings over crypto standards


« First...102030...2,0062,0072,0082,0092,010...2,0202,0302,040...Last »