Craig Gentry, a cryptographer working at IBMs Thomas Watson Research Center in the suburbs outside New York City, recently received a phone call that changed his life. His passion, an experimental and mainly theoretical type of encryption called homomorphic encryption, just won a MacArthur Genius Grant.

The complicated encryption method lets users run programs without actually decrypting them. Paul Ducklin, a security researcher working for Sophos, laid out a neat summary of how this works:

Imagine, however, if I could simply take your encrypted search terms, leave them encrypted, search for them directly in the still-encrypted database, and get the same results. If I can perform calulations directly on your encrypted data, yet get the same results that you get from the unencrypted data, we both win enormously from a security and privacy point of view. You don't need to give me any decryption keys at all, so you no longer have to trust me not to lose, steal or sell your data. (You still have to trust me to tell you the truth about any results I work out for you, but that is a completely different issue.) And I no longer need your decryption keys, so I can't lose or abuse your data even if I wanted to.

For security-conscious cloud and SaaS providers, this is a very big deal. Gentry has been working on homomorphic encryption for years, and the first big steps to commercialization came out last year when IBM released an open source software package for developers called HElib. The HE stands for homomorphic encryption.

John Launchbury, a DARPA program manager, told Co.Labs that "Originally cryptography was all about keeping communications private. Then it became standard to use cryptography for securing stored data, in case someone steals your computer. Now with the prevalence of cloud computing, it is becoming clear that we also need to be serious about data confidentiality even while computing with it--in case someone is able to observe the computation as it proceeds."

"Homomorphic encryption," he added, "Is one way to enable this: it is a form of encryption that allows computations to be performed on data without having to decrypt the data. You could store information on a cloud server, have the cloud provider perform some tasks on the data, without the cloud provider ever learning anything about your data. This could have profound implications for improving our privacy. Unfortunately, the performance challenges are so serious that it cannot yet be used in practice."

Writing back in 2009, security expert Bruce Schneier explained that homomorphic encryption is important because it could potentially make security much easier for distributed software systems:

Any computation can be expressed as a Boolean circuit: a series of additions and multiplications. Your computer consists of a zillion Boolean circuits, and you can run programs to do anything on your computer. This algorithm means you can perform arbitrary computations on homomorphically encrypted data. More concretely: if you encrypt data in a fully homomorphic cryptosystem, you can ship that encrypted data to an untrusted person and that person can perform arbitrary computations on that data without being able to decrypt the data itself. Imagine what that would mean for cloud computing, or any outsourcing infrastructure: you no longer have to trust the outsourcer with the data.

Although Schneier went on to be critical about practical applications for homomorphic encryption (which, to be fair, was written years ago), IBM has been taking out patents on the method that hint at eventual commercialization.

Gentry didnt invent homomorphic encryption, but his research is going a long way to making it usable. Over the next five years, Gentry will receive a no-strings-attached grant of $625,000 from the MacArthur Foundation to follow his passions. In a few years, if his work makes its way to the marketplace, it might solve a lot of our current problems with privacy protection and data security.

Read more:
What's Homomorphic Encryption And Why Did ItWin A MacArthur Genius Grant?

Porticor's Data Encryption and Key Management Solution Enables Health Organizations to Secure Protected Health Information in the Cloud and Meet Safe Harbor Compliance

CAMPBELL, Calif. Porticor, a leading cloud data security company delivering the only cloud-based key management and data encryptionsolution that infuses trust into the cloud and keeps cloud data confidential, today announced growing customer traction in the healthcare industry due to its innovative solution enabling health organizations to secure cloud-based Protected Health Information (PHI) and helping them meet HIPAA and Safe Harbor compliance.

The Porticor Virtual Private Data (VPD) platform is a cloud key management and encryption solution that delivers the healthcare industry's most secure cloud encryption key management by enabling health organizations to securely maintain control of their own encryption keys. Unlike traditional data encryption solutions, which are complicated and expensive to deploy and manage, Porticor's split-key encryption and homomorphic key management system is offered as the industry's first cloud data protection service of its kind, delivering true confidentiality of data in cloud, virtual and hybrid environments by ensuring encryption keys are never exposed.

"HIPAA requires us to protect data at rest and in motion," said Kathleen Sidenblad, VP of Engineering at Amplify Health, LLC, of San Francisco. "We have found Porticor's cloud data security and performance to be very good. Managing our own data encryption keys is important to us and Porticor lets us do that. We take security very seriously, and other solutions don't allow us to easily control our own keys."

Over the years, a variety of factors have led to an increase in healthcare organizations embracing cloud computing, including the need to do more with less money and the need to leverage data analytics to drive better care and reduce costs. Today many health apps such as EMR/EHRs are now cloud based, giving health workers computing resources available on demand, and allowing for scalable implementations, high availability and faster rollout of services.

"Porticor offers a unique blend of technical, cloud, key management and affordability features," said Christine Sublett, President of Sublett Consulting, a Porticor partner and HIPAA compliance expert assisting healthcare and technology companies with security, privacy and compliance issues. "The price point is reasonable, and their key management technology is superior to anything else we explored. Prior to Porticor we had to manage our own encryption keys, and it was something we didn't do well."

Integrating with major players such as HP, AWS and VMware, Porticor provides the industry's only software-defined, automated solution that uniquely eliminates the need for cumbersome, non-scalable, and expensive hardware security modules for the cloud. Uniquely combining data encryption with patented split-key encryption and homomorphic key management technologies, Porticor protects critical data in public, private and hybrid cloud environments. It provides the strong security needed for healthcare compliance in a convenient, cost-effective, fully cloud-based solution.

"The cloud is no less secure inherently than a traditional data center, and of primary concern from a logical standpoint would be encryption of data in the cloud," said Sublett. "There are two places where I see Porticor out in front of the competition. First, its key management solution is truly elegant. Key management is an ongoing challenge for companies, and Porticor's homomorphic key management solution solves this problem. Porticor's solution also has implications for an organization that wishes to utilize the protections afforded it under Safe Harbor."

"In the event of a security incident that is a suspected breach, and if the healthcare company is utilizing Porticor's API application-level integration for data encryption, there is a reasonable likelihood that, after performing a breach risk assessment, they could make the determination that there is a low probability that the PHI has been compromised and thereby claim safe harbor," Sublett continued. "This means that the onus of reporting a breach is largely ameliorated, with fines and reputation loss avoided."

While other solutions require encryption keys to be manually managed for every disk, distributed storage or database record, or to be owned by a cloud provider, Porticor's homomorphic split-key encryption technology eliminates both complexity and compromises. Porticor restores key ownership to customers while automatically managing customer encryption keys with maximum security. With homomorphic key management, the keys are protected at all times even while they are in use. Porticor protects the entire data layer stack, including virtual disks, distributed storage, databases, and applications. It dynamically encrypts and decrypts virtual data whenever the application needs access, and delivers a key management system that is fully hosted in the cloud, yet offers the confidentiality, security and trust of a system that is hosted inside the datacenter. Within minutes, customers can encrypt their entire data layer with the proven AES 256-bit encryption algorithm.

View post:
Porticor Helps Healthcare Organizations Meet HIPAA Compliance and Protect Private Information ...

The developers of a type of malicious software that encrypts a computers files and demands a ransom have fixed an error security experts said allowed files to be recovered without paying.

The malware, called TorrentLocker, popped up last month, targeting users in Australia, according to iSight Partners, a security consultancy. It now appears to be also geo-targeting victims in the U.K.

TorrentLockers developers ironically made a similar mistake as the creators of another ransomware program, CryptoDefense. Researchers found earlier this year that CryptoDefense left a decryption key on a persons computer, although the error was soon fixed.

Earlier this month, researchers with the consultancy Nixu found that TorrentLocker used the same keystream to encrypt all of a computers files. That was a mistake, as a keystream should never be used more than once, according to a writeup on the SANS Institute blog.

As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file, they wrote.

With the error out in the open, it was only a matter of time before it was fixed.

Richard Hummel, a senior technical analyst with iSight, wrote that a variant of TorrentLocker without that bug has now been found, which shows the extremely high pace of innovation of our collective adversaries.

The latest version also scans profiles in the Thunderbird email client for email addresses and passwords, he wrote. This will almost certainly be used to further the spam campaign for TorrentLocker, he wrote.

TorrentLocker asks for US$500 to unlock the files, payable in bitcoin. Hummel wrote that although the percentage of people who pay is low, a look at the bitcoin address associated with TorrentLocker showed that the attackers are making many bitcoins, he wrote.

Jeremy is the Australia correspondent for IDG News Service, which distributes content to IDG's more than 300 websites and magazines in more than 60 countries. More by Jeremy Kirk

Originally posted here:
Encryption goof fixed in TorrentLocker file-locking malware