Articles

4 alternatives to encryption backdoors, but no silver bullet

Alternatives to backdoors in end-to-end encryption exist, but not all address privacy and security concerns, say experts at last week’s Enigma conference.

End-to-end encrypted communication has been a boon to security and privacy over the past 12 years since Apple, Signal, email providers, and other early adopters first started deploying the technology. At the same time, law enforcement authorities around the globe have pushed for technological solutions to pry open the chain of protected end-to-end encrypted content, arguing that the lack of visibility provides a haven for criminals, terrorists and child abusers to hatch their plans with impunity.

In 2016, Apple prevailed in a now-famous legal standoff with FBI Director James Comey to unlock an encrypted phone used by a mass shooter in San Bernardino, California. In 2019, Attorney General William Barr revived the so-called backdoor debate to advocate some means of breaking encryption to thwart those who distribute child sexual abuse material. Last month, the UK government kicked off a PR campaign to lay the groundwork for killing off end-to-end encryption ostensibly to crack down on child sex abusers.

This article appeared in CSO Online. To read the rest of the article please visit here.

Image by Tumisu, please consider ☕ Thank you! 🤗 from Pixabay

 

Apple

Apple plan to scan users’ iCloud photos raises new…

Experts argue that Apple is clearing a path for governments to gain access to their citizens’ data–essentially an encryption backdoor.

A firestorm emerged on Friday and raged during the weekend over Apple’s new “Expanded Protections for Children,” a series of measures across Apple’s platforms aimed at cracking down on child sexual abuse material (CSAM). The new protections address three areas, including communications tools for parents and updates to Siri and search to help children and parents deal with unsafe situations.

The flashpoint for cryptographers, cybersecurity specialists, and privacy advocates is Apple’s planned use of “new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy.” The plan is to scan users’ photo libraries and then apply a new form of encryption to compare those photos to images from existing CSAM libraries.

The new cryptography applications in iOS and iPadOS would allow Apple to scan users’ entire photo libraries hunting for known CSAM images uploaded from their devices to iCloud Photos and then report these instances to the National Center for Missing and Exploited Children (NCMEC). Apple says, “the hashing technology, called NeuralHash, analyzes an image and converts it to a unique number specific to that image,” which allows systems “to perform on-device matching using a database of known CSAM image hashes provided by NCMEC and other child-safety organizations.”

“This is a really bad idea,” leading cryptographer Matthew Green tweeted at the start of a lengthy thread that sparked the now widespread uproar over Apple’s plan. The problem is that this system could be the tip of the spear that essentially provides an encryption backdoor that the US and other global authorities have sought since the 1990s. “This sort of tool can be a boon for finding child pornography in people’s phones, but imagine what it could do in the hands of an authoritarian government,” Green tweeted.

As the implications of what Apple is proposing became clear, over 4,000 security and privacy experts, cryptographers, researchers, professors, legal experts, and Apple customers signed An Open Letter Against Apple’s Privacy-Invasive Content Scanning Technology. The signatories, including NSA whistleblower Edward Snowden, contend that “Apple’s proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by iMattSmart on Unsplash

Articles

CISO Q&A: How AvidXchange manages COVID-related threats and risk

lead centered=”no”
Like many CISOs, Christina Quaine’s team is supporting the payment processor’s work-at-home employees and managing internal pandemic-specific risks. It also helps its mid-market customers meet new security challenges.
/lead

CSO caught up with Christina Quaine, the CISO of AvidXchange, a North Carolina-based payments processor that focuses on mid-market companies. We talked to her about how this mid-sized company, with 1,400 or so employees, has dealt with the changes wrought by the COVID pandemic. Given the company’s role in financial transactions, we were particularly keen to hear how the rise in coronavirus fraud instances were affecting her job. Below is a transcript of our conversation, edited for length and clarity.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

18 (new) ways attackers can compromise email

lead centered=”no”
Researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders, making it even easier for criminals to fool users.
/lead

All organizations wrestle with chronic phishing attacks that are the primary vectors through which malicious actors breach systems and spread malware.

Most phishing attackers deliver their payloads on networks by crafting spoofed emails that look like they come from legitimate, authoritative senders. Those look-alike emails instead derive from domains deployed solely for malicious purposes. It’s virtually impossible for most email recipients to detect the differences between real and spoofed email accounts, making phishing an intractable and seemingly never-ending problem for users and organizations alike.

Now computer science researchers have discovered eighteen new vulnerabilities in how email systems authenticate senders. Vern Paxson, Professor of Computer Science at UC Berkeley and Co-Founder and Chief Scientist at Corelight, Jianjun Chen, Post-Doc researcher at the International Computer Science Institute and Jian Jiang, Senior Director of Engineering at F5 (Shape Security), presented the result of their research at Black Hat last week in a talk entitled “You Have No Idea Who Sent That Email: 18 Attacks on Email Sender Authentication.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Mathematical Mesh alpha release promises better end-to-end encryption

lead centered=”no”
Web pioneer proposes a new cryptographic system that relies on threshold key infrastructure to improve end-to-end encryption.
/lead

One of the main challenges posed by the internet has been the need to secure communications across a massive tangle of public and private networks. Security experts agree that end-to-end communication encryption is the best means of defending users against third-party interception or breaches that could expose the potentially sensitive content.

End-to-end encryption, however, has been more of a dream than a reality, particularly given the rise of “walled gardens” led by internet giants such as Google, Facebook and Amazon. Each always maintains some form of access to their users’ communications.

A new approach to end-to-end encryption called Mathematical Mesh was quietly introduced at this year’s HOPE (Hackers of Planet Earth) conference by esteemed cryptographer Phillip Hallam-Baker, who is currently a principal scientist at Comodo and was formerly a member of the CERN team that designed the World Wide Web, among many other accomplishments.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

Bipartisan bill could bring back the White House national…

lead centered=”no”
Cyberspace Solarium Commission leaders introduce the National Cyber Director Act to reintroduce cybersecurity expertise into the White House.
/lead

Last week a bipartisan group of US House of Representatives legislators introduced the National Cyber Director Act to create the position of a national cyber director within the White House. The creation of this role is one of the chief recommendations of an increasingly influential intergovernmental group known as the Cyberspace Solarium Commission.

The commission issued its report — the product of months-long deliberations by four members from congress, four senior executive agency leaders and six experts from outside of government – just as the coronavirus pandemic quarantine kicked in during March. Nevertheless, the commission’s 80 recommendations, such as creating a national cyber director, are quickly being translated into actionable legislation on Capitol Hill.

Two of the commission’s leaders, Cyberspace Solarium Chair Congressman Jim Langevin (D-RI) and Solarium Co-Chair Congressman Mike Gallagher (R-WI), introduced the bill. Other legislators backing the bill include House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-NY), Ranking Member of the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure and Innovation John Katko (R-NY), former Ranking Member of the House Intelligence Committee C. A. Dutch Ruppersberger (D-MD), and Ranking Member of the House Intelligence Committee’s Subcommittee on Intelligence Modernization and Readiness Will Hurd (R-TX).

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

New Republican bill latest in long line to force…

lead centered=”no”
Here we go again. Senate Republicans push a new bill to mandate “lawful access” to encrypted devices and data. It won’t end until law enforcement has better cyber forensics capabilities./lead

In what seems like Groundhog Day when it comes to encrypted communications, a group of Republican senators last week introduced the Lawful Access to Encrypted Data Act, which aims to end the use of so-called “warrant-proof” encrypted technology by terrorists and criminals. Senate Judiciary Committee Chairman Lindsey Graham (R-SC), Tom Cotton (R-AR) and Marsha Blackburn (R-TN) introduced this latest measure to find a way for law enforcement to gain access to devices and data that are protected by unbreakable encryption methods.

“The Lawful Access to Encrypted Data Act is a balanced solution that keeps in mind the constitutional rights afforded to all Americans while providing law enforcement the tools needed to protect the public from everyday violent crime and threats to our national security,” the Senators said in a statement.

Although the bill’s proponents don’t say so explicitly, the “lawful access” it seeks to establish mirrors a long string of potentially damaging efforts by the federal government to install backdoors into encrypted communications, according to critics. Virtually all cybersecurity and cryptography experts insist that any break in the encryption chain will break security and protection altogether, leaving criminals and adversarial nation-states with even more power to hack into users’ devices and communications for nefarious purposes.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

US elections remain vulnerable to attacks, despite security improvements

lead centered=”no”Continued Russian interference, insecure paperless voting processes will sow doubt about the next election./lead

Days away from the Iowa caucuses, and less than 11 months from the general election, voting and election security continues to be a challenge for the U.S political system. Threats to a secure election appear to loom as large today as they did in 2016, when Russian state-backed hackers and social media trolls threw U.S. political campaign and election efforts into chaos, turmoil that has only become clear after the fact.

Certainly, voting security has made great strides since 2016. State and local governments took advantage of a funding boost under the Help America Vote Act to improve their infrastructure and better coordinate among themselves to harden election systems. Congress allocated an additional $425 million as part of a spending compromise that was passed and enacted in late-December, giving election officials even more latitude to make improvements.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

2020 outlook for cybersecurity legislation

lead centered=”no”Here’s a rundown of all the security-related bills working their way through this year’s U.S. Congress, plus some hot security topics likely to be debated./lead

As the partisan divide in Washington widens during this 116th Congress, the prospects of enacting any meaningful legislation that bolsters the nation’s cybersecurity seem, at first blush, dim. Of the nearly 300 pieces of legislation that touch on some aspect of cybersecurity, or more urgently, election security, introduced since the current Congress began last year, only nine have become law. Most were budget-related measures that appropriated or increased funds for federal agencies to spend on cybersecurity or election security as part of the fiscal 2020 spending deal passed in December.

Now, roughly halfway through the current Congress, it’s time to take stock and review where things stand in the legislative arena. A number of bills have been passed by either the House or the Senate and are awaiting further action. They are worth watching in 2020 because they have progressed the farthest and arguably might come closest to gaining some momentum toward passage.

This article appeared in CSO Online. To read the rest of the article please visit here.

Articles

High-profile departures widen federal government’s security talent shortage

lead centered=”no”Recent key departures–voluntary and forced–might make it harder for government agencies to find the talent needed to fulfill their security missions./lead

Respected and influential government cybersecurity veteran Jeanette Manfra announced this month that she is leaving her position at DHS to join Google as its global director of security and compliance as part of a new security team at Google Cloud. At Google, Manfra, who currently holds the title of Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency, will spearhead an “Office of the CISO” initiative at Google Cloud to help customers improve their security postures.

Manfra’s departure is just the latest in a string of high-profile departures from the ranks of well-regarded cybersecurity experts from the federal government. Google recruited at least two other prominent government cybersecurity officials to join its ranks. Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in 2017 and is now Director of Data Governance at Google. Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, left his role in 2017 to work at Google as an executive for Public Sector Cloud at Google.

This article appeared in CSO Online. To read the rest of the article please visit here.