« First...102030...2,3822,3832,3842,3852,386...2,3902,4002,410...Last »

Data Storage: Who’s Got the Encryption Key?

Posted on by

Encryption is a very basic security measure. But there are some serious issues swirling around encryption, especially if you have handed off your data to a cloud provider.

Encrypting data in-transit is standard and many service providers (SP) will give you the option of encrypting data at-rest. Dont take at-rest encryption for granted because there is another step you must take. Ask yourself: when I direct my SP to encrypt my stored data, who decrypts? Who holds the keys to the kingdom?

It may be your cloud provider who holds your encryption key. Most of them will do their best to protect your data and keys. But its an uncertain world out there. Online thieves can steal the key, NSA can subpoena it, determined hackers can break it, and failing cloud businesses can take it down with them.

Lets take a closer look at these very real threats to encrypted online data storage.

Hackers. A well-organized hacking group attacked an ecommerce website, stealing customer information including credit card numbers. The website owner admitted the data loss but thought that customer data was safe because it was encrypted. Sadly for the company, it had stored encryption keys on the same server that held customer data. The sophisticated hackers stole the keys right along with the information and promptly decrypted and posted the data.

Government. The NSA regularly taps large service providers for customer data and if you store your data with them you are vulnerable. Even if your data is encrypted, if the SP has the key they can decrypt your data. And if they are threatened by a subpoena, they probably will.

You may decide to turn your data over to the NSA if they subpoena you, but the point is that this should be your choice. Not the NSAs and certainly not your service providers. Or what about the scenario where the NSA does subpoena you, you decide to decrypt and turn over your data to them and you dont have the encryption key. Imagine NSAs sense of humor at that response.

Internal intrusion. Never assume that your data is kept private from the service provider employees. Most of them are honest to a fault -- but not all of them are and your data is at risk if they control your encryption keys. And while youre at it, check to see that your provider carefully screens their employees and tracks their activities while at work. A tad big-brother-ish perhaps, but remember Edward Snowden? No matter what your opinion is on his activities, you probably do not want a Snowden of your very own.

Going Out of Business. Many online backup service providers operate on razor-thin profit margins and are close to failing or are actively looking to be acquired. If they have your encryption key you may or may not be able to get your data back when you need it. If they are the ones who own your encryption key, they may take your key and your encrypted data down with their ship.

Service providers are well aware of these issues around encryption keys. One common solution is storing their customers encryption keys separately from data, in a different physical server system or a different partition. This does work against outside intrusion but does not help much against internal employee mistakes or malice.

Original post:
Data Storage: Who's Got the Encryption Key?

Yahoo Bringing Better Encryption Technologies To The Table

Posted on by

April 3, 2014

Enid Burns for redOrbit.com Your Universe Online

Yahoo! is in the midst of a large-scale project to employ encryption technologies to protect its users and their data. The companys new Chief Information Security Officer, Alex Stamos, updated users on Tumblr.

Firstly, as of march 31 all traffic moving between Yahoo! data centers is fully encrypted. Yahoo! Mail has become more secure as browsing has been moved to HTTPS by default, as well as encryption of mail between Yahoo! servers and other mail providers that support the SMTPTLS standard. Browsing on Yahoo! also has HTTPS encryption enabled by default.

Yahoo! has also implemented a number of additional encryption and security measures.

We implemented the latest in security best-practices, including supporting TLS 1.2, Perfect Forward Secrecy and a 2048-bit RSA key for many of our global properties such as Homepage, Mail and Digital Magazines. We are currently working to bring all Yahoo sites up to this standard, wrote Stamos.

While Yahoo! still has measures to take in-house, it is working with vendors and companies it contracts to improve security at those points as well.

One of our biggest areas of focus in the coming months is to work with and encourage thousands of our partners across all of Yahoos hundreds of global properties to make sure that any data that is running on our network is secure. Our broader mission is to not only make Yahoo secure, but improve the security of the overall web ecosystem, Stamos wrote.

Once all measures are complete, Yahoo! will continue to work on security to keep up with encryption developments and stay ahead of hackers.

In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months. This isnt a project where well ever check a box and be finished. Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users privacy, Stamos wrote.

See more here:
Yahoo Bringing Better Encryption Technologies To The Table

HMRC uses Hadoop to tackle corporate tax avoidance

Posted on by

HM Revenue & Customs (HMRC) is driving the use of open source technology with a Hadoop NoSQL big data engine to analyse corporate tax.

Government austerity measures have driven HRMC costs down by 20% over the last four years. The organisation is committed to reduce costs by another 22% over the next four years.

Addressing delegates at the Open Source Open Standards 2014 conference in London, Mark Dearnley chief digital officer of the HMRC, said open source software was a great way to change the dynamics of how software is developed.

According to Dearnley, analytics offered among the biggest opportunities for the use of open source software at the HMRC. He said: "Analytics is the first area where open source software has led the thinking."

Working with its system integrators, HMRC has developed a macro enterprise data hub, built on Hadoop. Dearnley said: Open source software is more cost-effective. It drives the commoditisation of infrastructure and use of software and drives a different delivery model, which is massively more cost-effective.

Corporation tax compliance is another example of Hadoop at HMRC. In the UK, companies need to submit tax returns electronically in the iXBRL format specified by HMRC.

Dearnley said it took two and a half months to develop a complete Hadoop stack and load in all the corporation data, allowing tax officers to start analysing company tax returns. He said the users were impressed by how fast IT delivered and the speed with which they could get value.

While using Hadoop for analytics has proved the value of open source software at HMRC, he said his ambition was to create a level playing field for open source software: "At the moment the pendulum is a bit too far, the other way."

HMRC runs 5,000 servers but only 3% run Linux. A quarter of its systems are virtualised, mainly on VMware, and it runs 3% of its system in the cloud, he said implying a substantial opportunity to deploy open source technologies in HMRC's infrastructure. Of the 500 enterprise applications at HMRC, Dearnley said 95% were based on proprietary platforms.

He admitted the penetration of open source software at HMRC was low: "We have some way to go. Our future will be a combination of private and public cloud, commodity compute, some of our databases are rather large and don't run in virtualised environments, so we will optimise our database cloud."

See the article here:
HMRC uses Hadoop to tackle corporate tax avoidance

Book Review: How I Discovered World War II’s Greatest Spy

Posted on by

benrothke (2577567) writes "When it comes to documenting the history of cryptography, David Kahn is singularly one of the finest, if not the finest writers in that domain. For anyone with an interest in the topic, Kahn's works are read in detail and anticipated. His first book was written almost 50 years ago: The Codebreakers The Story of Secret Writing; which was a comprehensive overview on the history of cryptography. Other titles of his include Seizing the Enigma: The Race to Break the German U-Boats Codes, 1939-1943. The Codebreakers was so good and so groundbreaking, that some in the US intelligence community wanted the book banned. They did not bear a grudge, as Kahn became an NSA scholar-in-residence in the mid 1990's. With such a pedigree, many were looking forward, including myself, to his latest book How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code. While the entire book is fascinating, it is somewhat disingenuous, in that there is no new material in it. Many of the articles are decades old, and some go back to the late 1970's. From the book description and cover, one would get the impression that this is an all new work. But it is not until ones reads the preface, that it is detailed that the book is simple an assemblage of collected articles." Keep reading for the rest of Ben's review.For those that are long-time fans of Kahn, there is nothing new in the book. For those that want a wide-ranging overview of intelligence, espionage and codebreaking, the book does provide that.

The book gets its title from a 2007 article in which Kahn tracked down whom he felt was the greatest spy of World War 2. That was none other than Hans-Thilo Schmidt, who sold information about the Enigma cipher machine to the French. That information made its way to Marian Rejewski of Poland, which lead to the ability of the Polish military to read many Enigma-enciphered communications.

An interesting question Kahn deals with is the old conspiracy theory that President Franklin Roosevelt and many in is administration knew about the impending attack on Pearl Harbor. He writes that the theory is flawed for numerous reasons. Kahn notes that the attack on Pearl Harbor succeeded because of Japan's total secrecy about the attack. Even the Japanese ambassador's in Washington, D.C., whose messages the US was reading were never told of the attack.

Chapter 4 from 1984 is particularly interesting which deals with how the US viewed Germany and Japan in 1941. Kahn writes that part of the reason the US did not anticipate a Japanese attack was due to racist attitudes. The book notes that many Americans viewed the Japanese as a bucktoothed and bespectacled nation.

Chapter 10 Why Germany's intelligence failed in World War II, is one of the most interesting chapters in the book. It is from Kahn's 1978 book Hitlers Spies: German Military Intelligence In World War II.

In the Allies vs. the Axis, the Allies were far from perfect. Battles at Norway, Arnhem and the Bulge were met with huge losses. But overall, the Allies enjoyed significant success in their intelligence, much of it due to their superiority in verbal intelligence because of their far better code-breaking. Kahn writes that the Germans in contrast, were glaringly inferior.

Kahn writes that there were five basic factors that led to the failure of the Germans, namely: unjustified arrogance, which caused them to lose touch with reality; aggression, which led to a neglect of intelligence; a power struggle within the officer corps, which made many generals hostile to intelligence; the authority structure of the Nazi state, which gravely impaired its intelligence, and anti-Semitism, which deprived German intelligence of many brains.

The Germans negative attitude towards intelligence went all the way back to World War I, when in 1914 the German Army was so certain of success that many units left their intelligence officers behind. Jump to 1941 and Hitler invaded Russia with no real intelligence preparation. This arrogance, which broke Germany's contact with reality, also prevented intelligence from seeking to resume that contact.

Other interesting stories in the book include how the US spied on the Vatican in WW2, the great spy capers between the US and Soviets, and more.

For those that want a broad overview of the recent history of cryptography, spying and military intelligence, How I Discovered World War IIs Greatest Spy and Other Stories of Intelligence and Code, is an enjoyable, albeit somewhat disjointed summary of the topic.

Read the original post:
Book Review: How I Discovered World War II's Greatest Spy

Julian Assange leaks again to tell all about Google

Posted on by

The book includes an edited transcript of the meeting during which Assange explained the importance of WikiLeaks, while Schmidt celebrated Googles expansion as a collaboration with the US State Department. Unsurprisingly, Assange isnt a fan technocratic imperialism is what he called it.

Theres no love lost from Schmidts side either. We went to visit Julian Assange when he was on his, shall we say, GPS locator service, Schmidt told a magazine recently. He came away with the view that we dont want random people leaking large amounts of data I dont think that serves society. We asked Google whether Schmidt agreed to the publication of their conversation but have had no reply.

Assanges previous attempt at a book proved disastrous for Canongate Books. It reported a 363,367 loss for 2011 after Assange pulled out of a deal. He had promised a part memoir, part manifesto and received a rumoured 500,000 advance, but after sitting with a ghost writer for more than 50 hours of taped interviews, he decided he wanted to cancel the contract.

The new book is less of a risk for those involved. It will be published by OR Books, which runs a print-on-demand service. If no one buys the book, the only hurt will be to Assanges ego. Not that humility has ever been his strong suit.

The rest is here:
Julian Assange leaks again to tell all about Google


« First...102030...2,3822,3832,3842,3852,386...2,3902,4002,410...Last »