MongoDB Inc. today introduced new features that will enable enterprises to query their data without decrypting it and carry out large-scale analytics projects more easily.

The features were announced at the companys annual MongoDB World conference.

Publicly traded MongoDB provides an open-source NoSQL database that is widely used among developers. The database has been downloaded more than 265 million times, while developers at north of 35,000 organizations use it to power applications.

Some of the product updates that MongoDB announced today are rolling out for its namesake open-source database. Other features will become available as part of MongoDB Atlas, a managed cloud version of the database. Atlas removes the need for customers to manage infrastructure and automates a number of other administrative tasks.

Our vision is to offer a developer data platform that provides a modern and elegant developer experience, enables broad support for a wide variety of use cases, and delivers the performance and scale needed to address the most demanding requirements, said MongoDB Chief Executive Officer Dev Ittycheria.

Companies keep the business information in their databases encrypted most of the time to ensure that hackers cant read records in case they gain network access. However, records have to be decrypted when theyre queried by an application or a user. MongoDB is rolling out a new release of its open-source database, MongoDB 6.0, that it says makes it possible to query data without decrypting it.

MongoDB 6.0s Queryable Encryption feature, as its known, doesnt require specialized cryptography know-how to use. Queryable Encryption keeps records encrypted while theyre in a servers memory. Information also remains encrypted while it travels through the servers central processing unit, according to MongoDB.

Cybersecurity researchers have long sought to develop a way of processing data without having to decrypt it. Some of the technologies that have been created to facilitate encrypted processing, such as fully homomorphic encryption, are impractical to use because they significantly slow down queries. MongoDB says Queryable Encryption facilitates speedy queries and doesnt impact application performance.

Another set of features introduced by MongoDB today focuses on helping companies carry out large-scale data analytics initiatives more easily. Some of the capabilities are rolling out for the MongoDB database, while others are part of the Atlas managed database service.

MongoDB 6.0 introduces a feature called Column Store Indexes that will speed up common analytical queries. The feature speeds up queries by creating an index, a collection of data shortcuts that makes it possible to find specific records in a database faster. Reducing the amount of time that it takes to find records enables the database to return results quicker.

For administrators, MongoDB is adding a feature that makes it easier to manage the hardware resources assigned to a MongoDB deployment. According to the company, the feature will help administrators avoid provisioning too little or too much infrastructure for a MongoDB deployment that is used to support analytics workloads.

Atlas, the managed version of MongoDB, is also receiving improved support for analytics workloads. A tool called Atlas Data Lake will provide managed cloud object storage to facilitate analytical queries. For business analysts, MongoDB is rolling out Atlas SQL Interface, a capability that makes it possible to query data using SQL syntax.

MongoDBs revenuegrew 57% year-over-year, to $285.4 million, during the quarter ended April 30. As part of its revenue growth strategy, MongoDB has been adding support for more enterprise use cases, which helps expand its addressable market and unlock new sales opportunities.

MongoDB 6.0 adds improved support for use cases that involve time series data. Thats the term for data used to describe a trend, such as how a servers performance changes over the course of a week. Time series data is used for tracking the health of technology infrastructure, monitoring shifts in product demand and a range of other use cases that MongoDB can now support more effectively.

Website development is another use case on which MongoDB is increasing its focus. The company is upgrading its managed Atlas database service by adding an integration with Vercel, a popular website development tool. MongoDB says that the integration will save time for joint customers by automating certain manual configuration tasks.

For developers using Atlas to power mobile apps, MongoDB is adding the ability to sync data to and from the popular Realm mobile database. Meanwhile, companies that rely on Atlas to power the search features of their applications and websites are also receiving new features. The company is making it easier to let users filter search results by category, a feature that usually requires significant amounts of custom code to implement.

Some MongoDB customers run multiple deployments of its database to support their applications. As part of the product updates announced today, the company is adding a set of features to simplify such customers information technology operations.

Cluster-to-Cluster Synchronization is a new tool that can automatically sync records between MongoDB databases to ensure they all have the latest version of a dataset. The tool can sync records across Atlas deployments, as well as MongoDB databases running in the cloud and on-premises.

Another new addition to the companys feature set is Data Federation. Available as part of Atlas, the capability makes it possible to centrally run a query across multiple MongoDB deployments. Data Federation could simplify large-scale analytics projects that draw on information from multiple databases.

Read more here:
MongoDB debuts new encryption tool and analytics features at MongoDB World - SiliconANGLE News

MISSISSAUGA, Ontario, June 08, 2022 (GLOBE NEWSWIRE) -- WinMagic, is proud to announce that MagicEndpoint, its passwordless authentication and encryption solution is now available. With MagicEndpoint, WinMagic enters the passwordless landscape in a unique position, offering independent, yet complimentary, authentication and encryption solutions that protect both data and user. MagicEndpoint ensures that CISOs and other technology and IT security leaders, can easily implement passwordless authentication, addressing their cyber security needs, while eliminating password friction and reducing password management costs. MagicEndpoint addresses a growing industry need for precise, strong user authentication while still protecting the data security within devices, servers, and networks.

The breakthrough behind MagicEndpoint's passwordless technology means a client only has to authenticate to the endpoint to verify they are in possession of the device, and the endpoint can do the remote authentication on behalf of the users, with no user action required. MagicEndpoint does not require phones or external tokens. Smarter, faster passwordless authentication means no more obtaining codes from mobile devices, or accepting insecure push notifications, or re-setting multiple passwords. The result? Happy end-users and even happier CIOs and CISOs, who can be confident their employees and data are protected, while reducing and eventually eliminating the need for password support.

A Media Snippet accompanying this announcement is available by clicking on the image or link below:

Thi Nguyen-Huu, President and CEO of WinMagic, noted that this latest development is a proud addition to WinMagics existing award-winning suite of encryption products, and a game changer for cyber-protection. Creating a techno-logically correct solution is amazing. Nguyen-Huu added, While initially trying to use various authentication devices to give users the choice for different scenarios, we realized that the capable endpoint can perform high assurance secure remote authentication, magnitudes stronger than the user ever could. Capable of verifying user identity, even user intention, MagicEndpoint delivers not only passwordless, but also user-action-less remote authentications, undoubtedly the best user experience while eliminating any possible user error or phishable action. No user action, in turn, allows MagicEndpoint to perform continuous verification of user and device - an impossible task for any human, fulfilling the Zero Trust aspired principle of Always Verify!

In a newly published 451 Research Market Insight Report, Principal Security Research Analyst Garrett Bekker remarked on the product development, saying, It is logical for an endpoint-focused encryption vendor to leverage that expertise with an endpoint-focused authentication offering. One of MagicEndpoints main value propositions is the ability to offer no user interaction (for Windows devices), which in turn allows for continuous verification of the endpoint client and is a step toward delivering a zero-trust architecture along with the ability to establish device trust by combining user authentication with device health checks.

MagicEndpoint passwordless authentication is based on the principle that the endpoint can perform public key-based authentication that no other device or bad actor can duplicate. By leveraging this inherent capability within endpoint devices, the attack surface is significantly reduced.

About WinMagicWinMagic is a leading developer of cybersecurity solutions that, over the course of 20 years, has raised the bar for endpoint encryption. As a result of extensive experience with securing the endpoint and a commitment to continuous innovation, WinMagic is trusted by over 2500 businesses and government agencies around the world and has over 3 million active licenses globally. WinMagics authentication and encryption suite of products protects data within any laptop, physical or virtualized data center, on-premises or in the cloud. The companys solutions are platform-independent, able to secure data on devices using Windows, Linux and Mac systems.WinMagic has earned wide recognition for protecting against threats and data loss, while helping businesses meet privacy and regulatory compliance requirements. WinMagic delivers a secure, seamless authentication and encryption experience and offers solutions that free customers to think, share and achieve their goals, knowing employees and data are protected. For more information, visit ww.winmagic.com.

For more information:Nadine BrownDirector of Marketing and CommunicationsNadine.brown@winmagic.com

Go here to read the rest:
WinMagic Enters the Passwordless Authentication Market with MagicEndpoint - GlobeNewswire

You're probably already familiar with the concept of encryption. Messaging apps, VPN services and most websites constantly scramble your data in transit so that just you and the receiver can access that information - whether it's a message, call or webpage.

However, for encryption to be effective, these private keys must remain secret at all times. Otherwise, if cybercriminals get hold of them, they will be able to access or modify your data in transit.

That's where Perfect Forward Secrecy (PFS) comes into play: to minimize the risk in the rare situation that your encryption keys do get compromised. This technology is a way to fortify encryption, and prevent hackers from accessing your whole stack of data.

Secure messaging apps like Signal and many of the best VPN providers have implemented PFS technology in their software to ensure their users stay safe, even in a worst-case scenario.

Here, we'll explain everything you need to know about Perfect Forward Secrecy: how it works, its pros and cons, and on which occasions it is implemented.

Perfect Forward Secrecy minimizes the risk posed to your personal information in the event of an encryption key breach by regularly changing your keys. The amount of time between changes varies by implementation - some are hourly, and others change every time you access a new message or load a new page.

This means that if malicious actors manage to intercept one of these keys, they will be able to access just a small portion of the information you shared online.

These keys are randomly generated so that, even in case they get intercepted, hackers won't be able to use them to get hold of your past nor your future data.

In the case of VPN traffic, these sets of keys are regenerated for each session. Some providers like ExpressVPN use new keys every time your device switches network, after a connection is terminated, as well as every 15 minutes to better protect longer sessions.

So, PFS generates new sets of keys to minimize the users' risk, but how exactly does this process work?

The infrastructure of apps, services and websites supporting Perfect Forward Secrecy relies on the Diffie-Hellman key exchange (DH) (opens in new tab) to generate ephemeral keys without sharing them over the internet. Using prime numbers and complex mathematical formulas, DH allows two parties without prior knowledge of each other to establish a shared secret key over an insecure connection channel.

In simple terms, as soon as these decryption keys have been used, they disappear. And the process is repeated for each data exchange happening between the two parties - whether that's you and your mate chatting via Telegram Secret Chats, or your device and the web server rerouting you on a chosen site.

All this makes it quite difficult for hackers to get hold of your data in transit and, in the virtually impossible case that they manage to do so, only the information you shared via that single key will be revealed.

Perfect Forward Secrecy has several advantages compared with traditional encryption systems. That's not to say that normal encryption isn't secure, but adding an extra layer of protection makes your crypto-lock way more difficult to crack.

First of all, with endlessly changing encryption keys, your past activities will be protected from any intruders in case future sessions get compromised.

Your overall data security will improve as, even if a leak does happen, third parties will manage to see only a tiny portion of your encrypted data.

On top of that, hackers would probably be less inclined to target PFS-based services. That's mainly because it wouldn't be worth the effort to access only a very limited stack of data.

As every time a double encryption occurs - similarly to NordVPN's Double VPN - your connection might slow down. That's because the system requires more processing power. However, if your device is powerful enough you are unlikely to even realize it.

From a developing perspective, PFS is harder to troubleshoot as its infrastructure is more complex.

Plus, although all modern browsers support Perfect Forward Secrecy on HTTPS-encrypted sites, there are still some web servers that unfortunately do not.

It is also worth noting that, even though both the popular OpenVPN and WireGuard protocols support PFS technology, even the most secure VPN services usually do not enable this by default.

With cyber attacks continuing to grow everywhere around the world, Perfect Forward Secrecy is becoming increasingly popular for protecting modern communications.

In 2011, Google started integrating PFS in its TLS infrastructure to secure all its services - from Gmail and Google Docs to encrypted search. Two years later, Twitter did the same.

Now, almost every website implements Perfect Forward Secrecy technology. As Atlas VPN reported, SSL Labs found out that only a tiny 0,9% of sites do not support PFS at all (opens in new tab).

Many of the most private VPN services have implemented this secure technology, too. These include ExpressVPN, Proton VPN, NordVPN and Private Internet Access (PIA).

Compare today's best overall VPNs

See the original post:
Perfect Forward Secrecy explained: everything you need to know - TechRadar

NEW YORK, NY / ACCESSWIRE / June 9, 2022 / Faruqi & Faruqi, LLP, a leading national securities law firm, is investigating potential claims against Arqit Quantum Inc. f/k/a Centricus Acquisition Corp. ("Arqit" or the "Company") (NASDAQ:ARQQ,ARQQW,CENH,CENHU,CENHW) and reminds investors of the July 5, 2022 deadline to seek the role of lead plaintiff in a federal securities class action that has been filed against the Company.

If you (i) suffered losses exceeding $100,000 investing in Arqit stock or options between September 7, 2021 and April 18, 2022, and/or (ii) were a holder of Centricus securities as of the record date for the special meeting of shareholders held on August 31, 2021 to consider approval of the merger between Arqit and Centricus (the "Merger") and would like to discuss your legal rights, call Faruqi & Faruqi partner Josh Wilson directly at 877-247-4292 or 212-983-9330 (Ext. 1310). You may also click here for additional information: http://www.faruqilaw.com/ARQQ.

Faruqi & Faruqi, LLP, Thursday, June 9, 2022, Press release picture

There is no cost or obligation to you.

Faruqi & Faruqi, LLP, Thursday, June 9, 2022, Press release picture

Faruqi & Faruqi is a leading minority and Woman-owned national securities law firm with offices in New York, Pennsylvania, California and Georgia.

As detailed below, the lawsuit focuses on whether the Company and its executives violated federal securities laws by making false and/or misleading statements and/or failing to disclose that: (1) Arqit's proposed encryption technology would require widespread adoption of new protocols and standards of for telecommunications; (2) British cybersecurity officials questioned the viability of Arqit's proposed encryption technology in a meeting in 2020; (3) the British government was not an Arqit customer but, rather, providing grants to Arqit; (4) Arqit had little more than an early-stage prototype of its encryption system at the time of the Merger; and (5) as a result, Defendants' statements about its business, operations, and prospects, were materially false and misleading and/or lacked a reasonable basis at all relevant times.

Story continues

On April 18, 2022, The Wall Street Journal (the "WSJ") published an article titled, "British Encryption Startup Arqit Overstates Its Prospects, Former Staff and Others Say." The WSJ article stated, in relevant part:

When the company secured its Nasdaq listing last autumn, its revenue consisted of a handful of government grants and small research contracts, and its signature product was an early-stage prototype unable to encrypt anything in practical use, according to [former employees and other people familiar with the company]. The encryption technology the company hinges on-a system to protect against next-generation quantum computers-might never apply beyond niche uses, numerous people inside and outside the company warned, unless there were a major overhaul of internet protocols.

British cybersecurity officials questioned the viability of Arqit's proposed approach to encryption technology in a high-level evaluation they privately shared with the company in the summer of 2020, according to people familiar with the matter.

The U.S. National Security Agency and the NCSC published separate assessments in recent years warning against using satellite-based encryption systems like those Arqit is proposing to integrate into its current product in the next few years. The NSA said its warning was unrelated to any specific vendor, a spokesperson said.

The encryption system-with or without its satellite components-depends on the broad adoption of new protocols and standards for telecommunications, cloud computing and internet services that currently aren't widely supported, people familiar with the matter said.

Steve Weis, a San Francisco-based cryptographer and entrepreneur, said that what Arqit was proposing-relying in part on transmitting quantum information from satellites-is a well-known 1980s-era technology with limited real-world application. "There have been many proofs of concept and companies trying to sell products," he said. "The issue is that there is no practical-use case."

Key to the company's pitch was its claim that it had a large stream of future revenue locked in as the product was live and already selling well. "Customers are using the Arqit products today-and they are universally finding it to be an important part of their technology future," Mr. Williams said in an August investor presentation shortly before the merger closed. He added, "The Quantum Cloud product is live for service and we already have $130 million in signed committed revenue contracts."

"These are contracts where the revenues will definitely be delivered," the CEO said.

The people familiar with the matter said that the bulk of the company's committed revenue isn't from selling its product and that at its public launch, the company had little more than an early-stage prototype of its encryption system. Several clients the company lists-including a number of British government agencies-are simply giving Arqit research grants, nonbinding memorandums of understanding or research agreements that come with no funding, not contracts for its encryption product, they said.

No commercial customer was using Arqit's encryption system with live data when it made its market debut in September, the people said, and the system couldn't meaningfully use any of the common internet protocols required to do nearly anything online. They said it has signed two master distribution agreements with BT Group [] PLC and Sumitomo Corp. [] for the still-unrealized satellite component of its technology that are cancelable under certain conditions.

On this news, Arqit share price fell $2.57 per share, or 17%, to close at $12.49 per share on April 18, 2022, damaging investors.

The court-appointed lead plaintiff is the investor with the largest financial interest in the relief sought by the class who is adequate and typical of class members who directs and oversees the litigation on behalf of the putative class. Any member of the putative class may move the Court to serve as lead plaintiff through counsel of their choice, or may choose to do nothing and remain an absent class member. Your ability to share in any recovery is not affected by the decision to serve as a lead plaintiff or not.

Faruqi & Faruqi, LLP also encourages anyone with information regarding Arqit's conduct to contact the firm, including whistleblowers, former employees, shareholders and others.

Attorney Advertising. The law firm responsible for this advertisement is Faruqi & Faruqi, LLP (www.faruqilaw.com). Prior results do not guarantee or predict a similar outcome with respect to any future matter. We welcome the opportunity to discuss your particular case. All communications will be treated in a confidential manner.

SOURCE: Faruqi & Faruqi, LLP

View source version on accesswire.com: https://www.accesswire.com/704577/Securities-Litigation-Partner-James-Josh-Wilson-Encourages-Investors-Who-Suffered-Losses-Exceeding-100000-In-Arqit-To-Contact-Him-Directly-To-Discuss-Their-Options

Follow this link:
Securities Litigation Partner James (Josh) Wilson Encourages Investors Who Suffered Losses Exceeding $100,000 In Arqit To Contact Him Directly To...

SAN FRANCISCO -- Enterprises are facing multilayered cyberextortion campaigns that combine data theft, public shaming and system encryption, which are increasing the pressure on victims to pay ransoms.

During an RSA Conference 2022 session Wednesday, David Wong, vice president at Mandiant, and Nick Bennett, vice president of professional services at Mandiant, provided case studies and anecdotal data that compared the outcomes of two clients that each suffered a ransomware attack and various cyberextortion attempts. While one client was more prepared to deal with a successful attack than the other, the examples highlighted an increasing persistence from attackers that pays off if the victim is ill-equipped.

Bennett highlighted some of the newer cyberextortion tactics that ransomware gangs and cybercriminals are using to pressure victims to pay. Encrypting data and demanding payments for decryption keys is only one of the tactics used by threat actors, he said.

"We see them reaching out directly to the victim's customers and antagonizing those customers," Bennett said. "We see them reaching out to the media to get more heat on the victim. We see them sometimes even reaching out to regulators that have jurisdiction over the victims."

The first case study involved a company that had relative success, despite it being the client's first incident response situation, because of some key factors in place. The client had implemented multifactor authentication across all remote access technologies, kept aggregated logs, understood its Active Directory environment, was ready to issue public statements and had a clear plan of whom to contact during all attack stages.

Bennett said that enabled Mandiant to react more swiftly and effectively in its incident response investigation.

"The client's team was confident, they were motivated, and importantly, they were authorized by leadership to make decisions and execute," Bennett said during the session.

On the other hand, the second client did not have confidence in bringing its environment back online, Bennett noted. The company was also worried about encryption starting again and feared public leaking of its data. Overall, the client just wanted to get the attacker to back down. Subsequently, Bennett said, it ended up paying a hefty ransom in the million-dollar range.

Wong also provided an example of an incident response case where the company had a policy against paying. While he said Mandiant agrees with that approach, sometimes they start ransom negotiations with the threat actor to stall and gain additional information on the attack, with no intention of paying. However, this company refused to engage in negotiations at all.

In return, the threat actor got nervous and followed through with posting the company's data on a public leak site, Wong said. That alerted the victim's customers, which caused further problems.

"The attacker started DDoS campaigns, they started calling customers because of that multifaceted extortion ransomware attack where they keep trying to put pressure on you, and you don't have much time to respond because you didn't prepare, and now you've got customers calling you," Wong said. "You need to think about those types of strategies, and it's not anything the IT can do -- it's your lawyers, communication teams and the business folks."

Another factor that is contributing to paying ransoms is cyber insurance, both from a company standpoint as well as incentives for attackers. Wong said that although it's an unpopular opinion, sometimes if companies are insured for ransomware coverage, they will pay because it has little effect on their bottom line.

Payal Chakravarty, head of product at cyber insurance company Coalition, echoed that sentiment in an interview with SearchSecurity. Some companies have become confident that if something happens, they will be covered.

"A few customers say, 'Why are you bothering to alert me, you've got me covered,' or 'I have insurance, so why are you telling me to fix things?'" Chakravarty said. "Additionally, if attackers know you're insured, they'll attack you because there's a higher chance of paying it."

Mandiant also addressed a problem stemming from alerts. In both incident response scenarios detailed during the presentation, Bennett said, the victims were equipped with endpoint security tools that identified credential harvesting and issued an alert. However, the human expertise was lacking.

Bennett said there's often failure in the analyst being able to see the alert, understand the full context and piece it together as part of a more significant event.

Chakravarty has observed similar problems with responses to alerts. In some cases, they are ignored, she said. Other times, there are too many people to loop in, or the person who received the alerts no longer works for that company.

"Recently we started tracking preventability, and almost 50% to 60% of ransomware cases are preventable if they had responded [to alerts]," Chakravarty said.

When Mandiant clients do pay, Wong said, nearly 100% do not attempt to recover the funds, even when law enforcement offers to do so. Several reasons contribute to that decision, including cyber insurance and potential attack reciprocation.

"You just suffered a ransomware attack and made that difficult decision to pay, and once you do, you don't really want to open that can of worms," Wong said during the session. "I do want to give law enforcement credit -- for a lot of crimes, you can follow the money and tackle the problem. But with ransomware today, if the victims aren't really trying to recover those funds, it will make it a lot harder for law enforcement, and we're going to have to tackle this in a different way."

See more here:
Mandiant: Cyberextortion schemes increasing pressure to pay - TechTarget

In October 2017, Yahoo! disclosed a data breach that had leaked sensitive information of over 3 billion user accounts, exposing them to identity theft. The company had to force all affected users to change passwords and re-encrypt their credentials. In recent years, there have been several instances of such security breaches that have left users vulnerable.

Almost everything we do on the internet is encrypted for security. The strength of this encryption depends on the quality of random number generation, says Nithin Abraham, a PhD student at the Department of Electrical Communication Engineering (ECE), Indian Institute of Science (IISc). Abraham is a part of a team led by Kausik Majumdar, Associate Professor at ECE, which has developed a true random number generator (TRNG), which can improve data encryption and provide better security for sensitive digital data such as credit card details, passwords and other personal information. The study describing this device has been published in the journal ACS Nano.

Encrypted information can be decoded only by authorised users who have access to a cryptographic key. But the key needs to be unpredictable and, therefore, randomly generated to resist hacking. Cryptographic keys are typically generated in computers using pseudorandom number generators (PRNGs), which rely on mathematical formulae or pre-programmed tables to produce numbers that appear random but are not. In contrast, a TRNG extracts random numbers from inherently random physical processes, making it more secure.

In IIScs TRNG device, random numbers are generated using the random motion of electrons. It consists of an artificial electron trap constructed by stacking atomically-thin layers of materials like black phosphorus and graphene. The current measured from the device increases when an electron is trapped, and decreases when it is released. Since electrons move in and out of the trap in a random manner, the measured current also changes randomly. The timing of this change determines the generated random number. You cannot predict exactly at what time the electron is going to enter the trap. So, there is an inherent randomness that is embedded in this process, explains Majumdar.

The performance of the device on the standard tests for cryptographic applications designed by the US National Institute of Standards and Technology (NIST) has exceeded Majumdars own expectations. When the idea first struck me, I knew it would be a good random number generator, but I didnt expect it to have a record-high min-entropy, he says.

Min-entropy is a parameter used to measure the performance of TRNGs. Its value ranges from 0 (completely predictable) to 1 (completely random). The device from Majumdars lab showed a record-high min-entropy of 0.98, a significant improvement over previously reported values, which were around 0.89. Ours is by far the highest reported min-entropy among TRNGs, says Abraham.

The teams electronic TRNG is also more compact than its clunkier counterparts that are based on optical phenomena, says Abraham. Since our device is purely electronic, millions of such devices can be created on a single chip, adds Majumdar. He and his group plan to improve the device by making it faster and developing a new fabrication process that would enable the mass production of these chips.

Continue reading here:
Using the random motion of electrons to improve cybersecurity - Help Net Security