Category Archives: Encryption

More on Law Enforcement Backdoor Demands

The Carnegie Endowment for International Peace and Princeton University's Center for Information Technology Policy convened an Encryption Working Group to attempt progress on the "going dark" debate. They have released their report: "Moving the Encryption Policy Conversation Forward.

The main contribution seems to be that attempts to backdoor devices like smartphones shouldn't also backdoor communications systems:

Conclusion: There will be no single approach for requests for lawful access that can be applied to every technology or means of communication. More work is necessary, such as that initiated in this paper, to separate the debate into its component parts, examine risks and benefits in greater granularity, and seek better data to inform the debate. Based on our attempt to do this for one particular area, the working group believes that some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed. If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas. Other forms of access to encrypted information, including encrypted data-in-motion, may not offer an achievable balance of risk vs. benefit, and as such are not worth pursuing and should not be the subject of policy changes, at least for now. We believe that to be productive, any approach must separate the issue into its component parts.

I don't believe that backdoor access to encryption data at rest offers "an achievable balance of risk vs. benefit" either, but I agree that the two aspects should be treated independently.

EDITED TO ADD (9/12): This report does an important job moving the debate forward. It advises that policymakers break the issues into component parts. Instead of talking about restricting all encryption, it separates encrypted data at rest (storage) from encrypted data in motion (communication). It advises that policymakers pick the problems they have some chance of solving, and not demand systems that put everyone in danger. For example: no key escrow, and no use of software updates to break into devices).

Data in motion poses challenges that are not present for data at rest. For example, modern cryptographic protocols for data in motion use a separate "session key" for each message, unrelated to the private/public key pairs used to initiate communication, to preserve the message's secrecy independent of other messages (consistent with a concept known as "forward secrecy"). While there are potential techniques for recording, escrowing, or otherwise allowing access to these session keys, by their nature, each would break forward secrecy and related concepts and would create a massive target for criminal and foreign intelligence adversaries. Any technical steps to simplify the collection or tracking of session keys, such as linking keys to other keys or storing keys after they are used, would represent a fundamental weakening of all the communications.

These are all big steps forward given who signed on to the report. Not just the usual suspects, but also Jim Baker -- former general counsel of the FBI -- and Chris Inglis: former deputy director of the NSA.

Key Blocks 103


The PCI PIN Standard requires implementation of Key Blocks.  On the blog, the third of the series, we cover basic questions about the 3 phases for implementing the Key Blocks requirements.   On our first blog, Key Blocks 101, we covered basic questions about this security method and how it helps secure payment data.The second blog in the series, Key Blocks 102, addressed questions around Key Block applicability.

How important is it to understand enterprise security management?

Estimated reading time: 3 minutes

Businesses increasingly face a wide array of ever-changing cyber risks as they adapt to the technologies and trends of today’s work environment. The world is in the throes of a digital revolution which has constituted a wide array of changes that enterprises must manage, from the Internet of Things to mobility management and many more. To ensure that enterprise security does not get breached, the importance of Enterprise Security Management (ESM) cannot be understated.

Defining Enterprise Security Management

Enterprise Security Management refers to entire set of end-to-end processes through which an enterprise creates a security management framework for their organization. A comprehensive ESM process will include a wide range of security protocols that an enterprise is following including endpoint security, network security management, Intrusion Prevention & Detection Systems, Encryption, Backup, Patch Management, Mobile Device Management (MDM), Incident Response Plans and so on.

As mentioned earlier, Enterprise Security Management is the key function that ties the entire organization with cyber security. It is in many ways, the one inter-related process which connects the enterprise’ cyber security outlook and shapes its attitude and outlook towards threat prevention. A perfectly designed Enterprise Security Management process will ensure that all the different parts of the process work well in sync with each other, doing the job of protecting the enterprise from cyber threats outside. However, a disconnected process will result in one hand not knowing what the other is doing, causing confusion and incoherence in the entire enterprise. The consequences of this can be severe – cyber criminals are always on the lookout for such enterprises and a cyber attack could lead to both financial and reputational damage.

To go about creating a strong ESM process, it is important to first do a proper assessment of the following factors:

  • Critical Data – All data is not the same and this is common for all enterprises. There will be data that is absolutely critical to the company and cannot be breached, there will be data that is confidential and there will be data which is none of the above two. An assessment needs to be made about this categorization of data, as that will help in creating different layers of data security.
  • Policies in place – Are the policies in place helping drive employees and the company’s outlook towards cyber security? Information security and cyber security are linked and it is a good idea to do a thorough review of the Information Security Policy of a company before finalizing on an enterprise security management approach.
  • Likely threats – A threat assessment report is very important for an enterprise to identify the types of the threats that they are most vulnerable against. This will help in creating strategies and contingency plans to deal with such threats. Threats can also be classified into categories as 1. Extreme Vulnerability, 2. Medium Vulnerability, 3. Low Vulnerability.
  • Patch management – What is the current state of infrastructure, especially patch management? Is the enterprise using outdated software and hardware, poorly patched and hence making itself vulnerable to cyber attacks?
  • MDM readiness – With business shifting to mobile devices and the lines between the personal and the professional blurring, enterprises must evaluate their readiness when it comes to Mobile Device Management (MDM) and come to an agreement about the kind of security controls they would like to impose.

The above points make it quite evident about the importance of Enterprise Security Management (ESM). For support in this regard, organizations can consider Seqrite, a leader in cyber security, for the provision of a secure platform for businesses to keep their data safe online. A multi-layered solution offers a range of powerful tools to allow enterprises to block malware, vulnerabilities and unauthorized alien access, leading to an unrisk enterprise.

The post How important is it to understand enterprise security management? appeared first on Seqrite Blog.

MegaCortex Returns…

MegaCortex, a ransomware which was first spotted in January this year, has become active again and has changed the way it previously attacked/targeted the corporate world. In order to simplify its execution and increase its scale of operation, it uses ‘Command Prompt’ instead of ‘PowerShell’ in current targeted campaign. Key…

UK Pub Chain ‘Greene King’ Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.

How Business can address the Security Concerns of Online Shoppers

It’s no secret that cybersecurity is an epidemic problem that affects online businesses on a global scale. E-commerce businesses are especially affected by data breaches because it weakens the consumer’s trust in online businesses to protect their personal data. In response to the growing number of breaches, governments and enterprises alike are stepping up to the plate to provide sustainable solutions to the problem.

The UK is aiming to become a world leader in cybersecurity by investing a substantial amount of money (to the tune of £70 million) in the Industrial Strategy Challenge Fund. The fund represents the government’s commitment to increase funding in research and development by £4.7 billion over a four year period. One of the primary goals of the investment will be to supply the industry with the money necessary to design and develop state-of-the-art hardware that’s more secure and resilient to common cyber threats.

The logic stems from the fact that cybercriminals are constantly finding new ways to exploit current technology, so the best way to combat future attacks is to design chips and hardware with stronger security features built into them to outpace cyber threats. However, this means businesses will have to invest in new IT systems as it rolls out to keep their security measures up to par.

For the time being, online business owners need to do everything in their power to address the privacy concerns of their users. In some cases, this might mean investing in more secure and modern e-commerce platforms that offer security features, such as TLS (still commonly known as SSL) protection and security software to protect against malware attacks, or simply generating new, strong admin passwords on a regular basis.

The fact is, there is no way to provide customers with a 100% guarantee their personal data is safe, but there are actions webmasters and companies can do to make their websites a lot safer to use by their customers. To help you learn more about how you can secure your site from cyber threats, Wikibuy has laid out 15 steps in the infographic below.


How Business Owners Can Address Online Shopping Concerns

Why the government isn’t a fan of commercial encryption


Federal governments and major technology firms are arguing for or against encryption, respectively. But why?

Due to recent political turmoil and devastating events overseas, the topic of end-to-end encryption has reentered public discussion. At the center of the debate, you have federal governments and major technology firms, each arguing for or against encryption.

The Encryption That Businesses Need, But CISOs Forget About

 By Joseph Steinberg  CEO, SecureMySocial JosephSteinberg

 

Many businesspeople put their firms’ data at risk because they fail to understand several important concepts about encryption. Simply understanding that data can be protected from unauthorized parties by encrypting it is insufficient to deliver security; in order to secure information people must know when needs to be secured, and must actually encrypt accordingly.

Should You Encrypt Data Before it Goes to the Cloud?

 

American cloud service providers such as Microsoft are opening local data centers in foreign countries at the request of the respective foreign governments and customers located in those countries. The thinking behind this strategy is that data located in a particular country is subject to the country’s data privacy laws, which may be different from those in effect in the United States. When your data is stored in the country where your customers are resident, it seems logical to believe cloud service providers when they say their local data centers operate according to that country’s laws. In reality, the situation is more complicated, and the location of the data in a particular country is not enough to guarantee privacy.