Use Wufoo integrations and get your data to your favorite apps.

Category: Cryptography

There are 4 posts published under Cryptography.

How to Be Secure With an Insecure Internet

Governments have been spying on their citizens since the dawn of time. From McCarthyism to PRISM, the scale of surveillance throughout history has varied according to the resources it took to dig up information on people.

Back in the 1950s, it cost tens of thousands of dollars to investigate one person, and it might have taken days, weeks, months, or years to find anything. Now, it costs the NSA just 6.5 cents an hour to spy on you.

Of course, the everyday low, low price of surveillance is great for unraveling terrorist plots, but what happens when it costs practically nothing to spy on thousands or millions of people?

These government agencies are going to collect whatever information we put out there, and we’re putting out a lot.

Think about a government or corporate entity having access to your entire Google search history, private emails, instant messages, purchase behavior, or even location data that shows where you’ve been. This is information we readily volunteer when we agree to many “free” services’ terms and conditions, trusting that companies will be responsible stewards of our private data.

The Reality of the Internet

While we’d like to believe that changing our passwords constantly is enough to protect the vast amount of information we supply on a daily basis, data security is a mathematically impossible myth. You have data; that data is private or public, sensitive or immaterial. The more powerful the data, the more you have to think about how to protect it.

Just as governments can potentially investigate anything they deem a threat due to the low (or nonexistent) cost of advanced surveillance, so can “the bad guys.” Large bureaucracies are no longer the only entities that can possess and utilize such powerful and precise resources. There’s a cyber war underway today, and we’re all in a battle to protect our privacy and integrity.

Guarding Your Digital Self 

Ultimately, the responsibility of security on the Internet rests in your hands. You can control how much information you share or supply digitally.

1.     Your Stream

Any time your data is online, you have a personal responsibility to exercise due diligence. You can’t necessarily control what your kids do with tech out in the world, but you can keep them secure by teaching them responsible device usage at home. The more powerful the data you possess, the more you have to think about how to protect it.

Always encrypt your data, and if your data is important or extremely sensitive, think very carefully about where you share that information. This idea applies to your digital integrity and even your family’s personal safety. Consider these factors when deciding how much control you need to have over your child’s Facebook posts or your sharing of family information. Unguarded information can, unfortunately, provide anyone the opportunity to see what your child likes and where he or she hangs out. Be proactive in protecting your data. The costs of not doing so could greatly outweigh the inconvenience. 

2. Governments and Corporations

If you trust data to make decisions — which you do every time you turn on your phone or swipe a credit card — make sure that data has integrity. Pressure the companies you do business with to protect your data, and realize that once it’s out of your hands, you have to trust that company’s encryption and integrity. Make sure you choose those companies wisely.

Again, the safest data that exists is the data that isn’t connected to the Internet. That’s why some of the most sensitive government and corporate environments have air gaps, meaning they literally aren’t connected to the Internet.

Resetting the Internet

If you don’t trust other entities to handle your data, you may be thinking, “Can’t we erase it and start over?”

The simple answer is no. Some have tried to imagine what an Internet 2.0 would look like, but the Internet is just an agreement between individuals on how they communicate with each other. As long as people are generous with their data, there will be those looking to exploit it.

The chaos of the Internet is part of its beauty, and a lack of central authority has been its strength. Not until very recently have we started to allow corporations and governments to control that here in the U.S., and it’s a slippery slope that will continue to push the Internet into a controlled environment until we say enough is enough.

 

Daniel Riedel is the CEO of New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. New Context provides systems automation, cloud orchestration, and data assurance through software solutions and consulting. Daniel has experience in engineering, operations, analytics, and product development. Previously, he founded a variety of ventures that worked with companies such as Disney, AT&T, and the National Science Foundation.

2602

Top Tech and Startup News: 7 Things You Missed

Below is today’s top technology and startup news.

 

1. $6200 Bitcoin Heist Threatens Android Operating System

Hold onto your digital wallet. As expected, flaws in operating systems are being exploited to “pilfer” bitcoin. Google developers confirmed the cryptographic vulnerability, claiming there is a serious threat to “hundreds of thousands” of Android apps.

Undoubtedly, this is bad press for Bitcoin. Yet, this is even worse news for Android, with over 90% of mobile malware being detected on this mobile operating system.

Update: Today, it was reported Google is distributing patches through the Openhandset Alliance.

Here’s a quote from Alex Klyubin, a Google security engineer who first reported the situation:

“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG.”

http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/

https://bitcointalk.org/index.php?topic=271486.0/

 

2. Google Blocks Microsoft’s YouTube app

Just days after announcing the release of the YouTube app on Windows Phone, Google has officially blocked the app.

This action was in response to errors which started to pop up this week. Google stated the full YouTube experience could not be enjoyed with the current browser.

Here’s a quote from a Google spokesperson:  “It has been disabled. We value our broad developer community and therefore ask everyone to adhere to the same guidelines.”

http://www.theverge.com/2013/8/15/4624706/google-blocks-window-phone-youtube-app

3. Washington Post has been Hacked by Syrian Electronic Army

It’s been a big week for the Post. After Jeff Bezos announcement to buy the Post for an estimated $250 Million, the website is now being hacked. Reportedly, readers of some articles are being redirected to the Syrian Electronic Army website.

http://allthingsd.com/20130815/washington-post-site-is-hacked/

4. “Julian Asssange with a Hypodermic Needle” - The Silk Road drug peddling website to be featured in magazine

He’s the Al Capone of the internet, known more commonly as Dread Pirates Roberts, and has been carefully building a website to meddle drugs over the last two years. And, these are not just your typical over-the-counter drugs. We’re talking heroine, meth, crack, LSD and ecstasy - all mailed through our local, friendly post office.

Forbes plans to run a full-feature article on Roberts.

5. Paypal freezes IndieGoGo campaign worth over $100,000 - then reverses the decision

With 9 days to go in the campaign, a Google Glass competitor ‘GlassUp’ was told they will only receive “a tiny amount of the funds.” The Italian hardware manufacturer would have been greatly hampered by this decision. But, after receiving mainstream press, Paypal reversed their decision stating:

“We looked into what was happening with GlassUp and corrected the situation earlier today. GlassUp now has access to all of the funds that they’ve raised on Indiegogo through PayPal. We think they are developing a fascinating product and don’t want to impede their innovation in any way.”

http://venturebeat.com/2013/08/14/glassup-raised-100k-on-indiegogo-but-paypal-is-refusing-to-pay-up/

 

6. Awesome Fashion Designer Fights Government Surveillance

Here’s one way to speak out against Government surveillance. An activist and designer has created an anti-drone garment, resembling a burqa to demonstrate the seriousness of our situation. The garment reflects heat, masking the wearer’s thermal signature while reducing visibility to infrared sensors. You can check it out here:

Adam Harvey / ahprojects.com

http://www.washingtonpost.com/lifestyle/style/designers-trying-to-help-people-fight-government-surveillance/2013/08/15/824faf84-0533-11e3-88d6-d5795fab4637_gallery.html#photo=7

 

Fashion designer fights against surveillance

Fashion designer fights against surveillance

 

 

7. Design Your Heart Out: Getty Releases 4600 Amazing Images to the Public

In a world of stock photos and vector art, the newest announcement by Getty is a pleasure to hear. Perhaps one of the World’s finest collections of artwork is now open to the public, free of use. The iniative, which sets a precedent for other art collections, is called the Open Content Program and is free to use.

You can browse the collection here: http://search.getty.edu/gateway/search?q=&cat=highlight&f=%22Open+Content+Images%22&rows=10&srt=a&dir=s&pg=1

 

daily tech news

2033

Kaspersky Labs explains: How to Protect Your Business from Cyber Attacks Part II

In the first part of this article, we told you about targeted cyber attacks and how cyber criminals penetrate corporate networks, attacking the computers of employees who use their desktops for social networking and other cyber-skiving.

 

Along with targeted cyber attacks there are other threats. Intentionally or by chance, employees may be guilty of disclosing confidential data or breaking copyright laws, which might result in law suits against the company.

 

We will tell you about some incidents related to the storage and transfer of corporate documents via a personal mailbox or a cloud service and the use of software for P2P file sharing. We will explain what technologies and security policies allow system administrators and IT security specialists to prevent such incidents.

 

Reputation loss

Your company’s reputation is worth protecting - and not only from cyber criminals.  Employees who send professional correspondence to their personal mailboxes, download illegal content, or use pirated software on corporate computers never think they might damage their company’s reputation.

 

Confidential information disclosure

One company faced an accident in which extremely confidential information was disclosed.  Data security specialists started the investigation by checking the leaked documents and were surprised to learn that the metadata contained important information - the company’s name, computer’s name, where the document was stored for the last time, authors’ names, e-mail addresses, telephone numbers, and more. Criminals usually delete this data to hide the source of the leak.  During the investigation, the experts found that the copies of disclosed documents were stored on the computers of five employees.  None of them admitted to handing the documents over to a third party; moreover, having learnt about the accident at the interview with the security, all of them were genuinely surprised.  After analyzing the corporate proxy-server logs, it was revealed that one of those five employees had uploaded copies of the disclosed files to a mail service.

 

At the second interview, this employee confessed that he had used his personal mailbox a few times to store corporate documents.  It was convenient: if he had no time to finish or read a document, he sent it to his personal mail and finished it at home.  Any employee could gain remote access to his corporate mailbox on request, but the employee hadn’t set up any extra protections.  He didn’t anticipate any problems with using his personal mailbox for work.

 

Having gained access to his personal mailbox, data security specialists checked the list of IP addresses used to connect to the e-mail.  Along with the employee’s home and corporate IP addresses, a lot of other addresses of proxy-servers from different countries surfaced.

 

While investigating the employee’s computer security, specialists discovered spyware that logged all the account data for different systems - sites, social networks, mailboxes, and online banking services.  Having used the malware to gain access to the employee’s mailbox, the criminal found a lot of corporate documents stored there.

 

Though the guilty employee was fired; the reputational damage to the company lingers on.

9

 

Breach of copyright

It’s widely known that pirate content download is a violation of copyright law.  However, few people remember that when you use the Internet from your corporate network, you use the IP address of your company.  This means that if a violation is discovered, it is the company who will be liable.

 

A small company suffered an unpleasant incident.  At certain times, there was a sharp drop in Internet connection speeds.  Network traffic statistics showed one computer using 80% of the network capacity, with in-coming and out-going connections going off the scale.  The sysadmin assumed that the computer was used to share files on a P2P network.

 

It turned out that one employee had brought his personal laptop and connected it to the corporate network. A BitTorrent client installed on the laptop was set to run automatically when the system started.  The employee had forgotten all about it and the program running on his laptop caused trouble with the Internet connection.

 

Three months later, local law enforcement authorities came to the office with a search warrant and took many hard drives and documents, because they suspected that the company had used pirated software, in breach of copyright rules.  In the end, the company was fined and, since then, stronger restrictions against pirate software have been introduced in the security policy.  Now, employees face serious sanctions for a first offense, and lose their jobs if there is any repeat.  In addition to those punishments, illegal content (hacked software, video, music, e-books, etc.) is forbidden whether it is downloaded to a corporate computer from the Internet, or if it is brought from home.

 

Solution

We described just two cases in which the violation of corporate policies by employees led to serious incidents.  In everyday life, there are many more scenarios like this.  Fortunately, there are also some simple methods, which, together with security policies, can help to prevent the majority of these incidents.

 

Network Traffic Control

In the incident described above - corporate documents leaked and unlicensed content loaded via P2P - the corporate network served as a channel to send and receive data.  Firewall, IPS, HIPS, and other technologies allow system administrators and IT security specialists to limit or block:

  • Access to public services and their servers - mail services, cloud storages, sites with forbidden content, etc.
  • Use of ports and protocols for P2P sharing
  • Sending corporate data outside the corporate network

 

It’s worth remembering that no single control of network traffic can provide the highest level of corporate network security.  In order to bypass security policies, employees can use traffic encryption methods, connect to the copies (mirrors) of blocked online services, or use proxy servers and anonymizers.  Moreover, many applications can use other application ports and embed their traffic into various protocols, which cannot be forbidden.  In spite of these obstacles, network traffic control is important and necessary, but it needs to be combined with application control and file encryption.

 

Application control

 

Using application control, a system administrator or data security specialist can not only forbid any unwanted software, but also track what applications employees use, as well as when and where they use them.  It’s almost impossible to prohibit all pirated software, as a lot of varieties of an application may be created and they may be almost identical.  So, the most effective approach is to use application control in default deny mode to ensure that all employees use only authorized software.

 

File encryption

 

It’s often impossible to track how employees use cloud services and personal mailboxes to store corporate data, which may include confidential information.  Many mail services and cloud storages encrypt files transmitted by a user but cannot guarantee protection against intruders - a stolen login and password will give access to the data.

 

To prevent this type of theft, many online services attach cell phone numbers to their accounts.  Along with the account data, a criminal will need to intercept a one-off confirmation code, sent to a mobile device during authorization.  Note that this protection is safe only if the mobile device has no malware that will let the criminal see the code.

 

Fortunately, there is a safer way to provide security for corporate documents transmitted beyond the corporate network - file encryption technology.  Even if intruders get access to a mailbox or cloud storage where an employee stores corporate papers, they won’t be unable to access the content of these documents, since they have been encrypted before their transmission to an external server.

 

Security policies

Network traffic control, application control, and data encryption are important security measures that can detect and automatically prevent data leaks as well as restrict the use of unwanted software on the corporate network.  It’s still necessary, however, to implement security policies and increase employee awareness, since many users do not realize their actions may threaten their company.

 

In case of repeated violations, security policies should lead to administrative sanctions towards the offender, including dismissal.

 

Security policies should also stipulate the actions that should be taken if a former employee has access to confidential information or critical infrastructure systems.

 

Conclusion

Incidents like confidential data leaks or unlicensed content loaded from a corporate IP address may cause significant damage to a company’s reputation.

 

To prevent this damage, companies should limit or completely block employee access to online resources that may be a threat to a company, and also limit or block the use of those ports, data transmission protocols, and applications that are not required for work.  File encryption technologies should be used in order to ensure the confidentiality and integrity of corporate documents.

 

IT security experts should keep in mind that, along with incident detection and prevention, they should pay attention to administrative protection measures. Users should be aware of what is allowed and prohibited by a security policy and the consequences of any violation.

646

The Next Crypto Battle

Initial skirmishes have provided some indication that the next cryptography (crypto) battle is heating up and is not far from a full-fledged call to arms. Insights from previous battles in this continuing war are useful in predicting how it could play out.

 

Online security and privacy are at the heart of the battle. The most obvious foot-soldiers of this war are a new breed of ‘cypherpunks,’ who advocate crypto to fight ubiquitous government surveillance. As Julian Assange said, “No amount of coercive force will ever solve a math problem… A well-defined mathematical algorithm can encrypt something quickly, but to decrypt it would take billions of years.”

 

There will be a bigger, less visible part of the battle. People will want to retain control over their communications- messages, photographs, video, files, and locations. They will want to be able to use cloud computing and store their files on the Internet with the confidence that it can be done safely and securely. They will not want these things from a ‘nothing to hide’ perspective but rather as a natural and necessary prerequisite for confidence and utility of the medium.

 

Underpinning the Internet are the TCP/IP protocols which were designed to provide only the functions of efficiently transmitting and routing packets of data between peers. What they inherently lack is the ability to deal with network security issues such as data snooping and connection hijacking.

 

This wasn’t a problem when people used trusted and open networks that interconnected university computers. It rapidly became a big problem as the Internet exploded to become central to communication, commerce, and all the myriad of ways that we now depend on the Internet.

 

Earlier Battles

Crypto played an important role in World War II. From then on, many governments regulated the export of crypto on national security grounds. Treating crypto as munitions, several governments introduced controls like export licences. There were also other efforts to control crypto, such as the 1976 weakening of IBM’s Data Encryption Standard (DES) by the National Security Agency (NSA) before the National Bureau of Standards allowed it to become a government-approved standard.

 

The Internet created a need for individuals and businesses to use crypto as well as the means to distribute information on crypto quickly and cheaply. Phil Zimmermann‘s PGP in 1991 allowed everyday people to encrypt their email and data. The growth of electronic commerce created additional pressure, such as the need to protect credit card transactions online using public key crypto.

 

In the US, some defining moments of the first crypto battle occurred with the cases Junger v. Daley and Bernstein v. United States which established that crypto software could be published online, protected by the First Amendment as free speech.

 

The Clinton administration tried to get the industry to adopt the Clipper chip- an encryption chip for which the government had a back-door key. When this failed, the administration tried to introduce key escrow - a policy that required all encryption systems to leave a spare key with a ‘trusted third party’ that would hand it over to the FBI on demand.

 

The willingness of some to risk and resist prosecution as well as the growing availability of crypto software outside the US led to relaxing of export controls. Some restrictions still exist, even on purely commercial services for the mass market, particularly in countries participating in the Wassenaar Arrangement on dual-use technologies.

 

Growing Mass Market Use of Crypto

It’s common for commercial products to use crypto with credit cards and DVD content scrambling. What’s relatively new is the conscious, routine use of crypto for communications and data protection by people for themselves. For example, when people send emails in crypto-enabled ‘envelopes’ rather than postcards open for everyone to read. While this technology has existed since the 1990s, so far it has been too hard and inconvenient for everyday use by the average person.

 

Global concerns over governments collecting, storing, and analysing all Internet traffic is growing. New laws are sprouting everywhere like the UK’s proposed ‘Snooper’s Charter,’ metadata retention for law enforcement agencies in Australia, and an update to lawful interception in New Zealand.

 

This is leading to a return to the debate of the 1990s and 2000s. In 1997, the then Director of the FBI said:

 

“Clearly, in today’s world and more so in the future, the ability to encrypt both contemporaneous communications and stored data is a vital component of information security. As is so often the case, however, there is another aspect to the encryption issue that if left unaddressed will have severe public safety and national security ramifications.”

 

“Uncrackable encryption will allow drug lords, spies, terrorists, and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.”

 

The Next Crypto Battle

Exactly the same concerns still drive the continuing war on crypto. Only, this time, the vocabulary has been updated to include words like national security, cyber espionage, and paedophiles.

 

The FBI is worried about the ‘dark net’ while the German police uses malware to spy on its citizens’ Internet activities. Some governments are worried about decrypting Apple’s iMessage and all user data held on that company’s smartphones and tablets. On the other side, the inventor of PGP is back with Silent Circle while the company that I work for, Mega, provides encryption and decryption invisibly and automatically.

 

Some of the instruments governments have used in the past- such as export controls and deliberate weakening of the crypto- will no longer work. New instruments will undoubtedly be tried. The same arguments and counter-arguments of the 1990s will be debated back and forth.

 

While it is difficult to predict how this crypto battle will evolve and the inevitable casualties, one thing is certain: the end result will be the same as the previous battles- an uneasy truce in which governments will accept that they have limited ability to control crypto being used by people and businesses.

 

That will be a victory for the public good and the Internet’s indispensable role in our daily lives. Until the next crypto battle erupts.

 

 

862