Meta has threatened to pull WhatsApp out of India if the courts try to force it to break its end-to-end encryption.
Category: Encryption
Meta, encompassing Facebook and its subsidiaries, has staunchly advocated the end-to-end encryption safeguarding its messaging platforms, assuring users of protection against government surveillance, individual snooping, or corporate intrusion. However, the allure of highly encrypted messaging services can inadvertently provide sanctuary for criminal activities, thriving under the guise of anonymity these platforms offer.
Graeme Biggar, leading the National Crime Agency, highlighted a concerning shift in perspective regarding these encrypted services, particularly from the standpoint of governments and law enforcement agencies. During a recent gathering in London, approximately 30 European police chiefs voted to advocate for a partial relaxation of encryption protocols, aiming to afford law enforcers sustained access to vital data.
Mr. Biggar articulated his stance, citing the arduous process of obtaining court orders to breach the encrypted communications of individuals or groups. Such procedures, he argued, often consume substantial investigation time, presenting a window of opportunity for criminals engaged in illicit activities such as drug trafficking, human exploitation, homicide, and terrorism.
Contrastingly, companies like Apple Inc. defend their prioritization of customer data security and privacy concerns. By doing so, they aim to foster trust among users, thereby enhancing their market appeal and ultimately bolstering profit margins.
However, the dilemma persists: should companies compromise encryption standards in favor of facilitating law enforcement access? Such concessions could potentially expose private messages to malicious actors, exacerbating security and privacy vulnerabilities.
Law enforcement agencies are not seeking unfettered access to user data; rather, they advocate for lawful access to data generated, stored, and accessed by individuals or entities. This access, they argue, should be expedited, bypassing the cumbersome legal procedures that afford criminals precious time to execute nefarious activities with impunity.
The post Facebook end to end encryption a Boon or a Bane appeared first on Cybersecurity Insiders.
[By Jerry Derrick, Camelot Secure]
Today, encryption is a cornerstone of our cybersecurity practices. It protects everything from cell phones and SMS messages to financial transactions and intellectual property.
However, a new challenge in the complex landscape of encryption has recently emerged, thanks to the advancement of quantum computing. As a provider of award-winning cybersecurity solutions, Camelot has this new quantum computing challenge to encryption squarely in our sights. What challenges lay ahead? Here is the breakdown:
Quantum Computing (QC), invented in the 1970s by David Deutsch, has made significant steps forward in the following decades and has become a viable technology capable of solving complex computational problems. Based on the laws of quantum mechanics, QC is not bound to the restrictions of classical computers, where everything resolves to a 1 or 0. Instead, QC uses “multidimensional computational spaces” to answer nearly impossible questions. It sounds like sci-fi, but it applies to our current computing environment.
Quantum Computing presents a unique challenge to all cybersecurity efforts because it has the potential to break some of the commonly used encryption standards used today.
Organizations use symmetric or asymmetric keys to encrypt their data at rest or in motion. Symmetric cryptography, like the Advanced Encryption Standard (AES), utilizes a single key to encrypt and decrypt data. In contrast, asymmetric cryptography (RSA) uses a public and private key to encrypt and decrypt data. The two types of cryptography differ in the security they provide based on their bit count (AES typically uses 128 or 256 bits, and RSA keys typically use 1024-2048 bits) and the password strength the key creator uses.
Due to QC’s threat to circumvent almost any encryption, in 2022, NIST introduced several new encryption key algorithms to address the inherent risks posed by QC. Because of the increased complexity of the algorithms used to generate the keys, they are considered QC-resistant (QCR). The new encryption keys mitigate the potential impact of Grover’s Algorithm, which can break AES-128 encryption in seconds today, and Shor’s Algorithm, which will eventually be able to break RSA encryption as QC technology advances.
In short, suitable algorithms and encryption standards could protect us from the future of QC hackers. But deploying them is a different matter.
Today’s lack of widespread QC availability makes QCR encryption a non-existent priority for most organizations because no perceived threat would require immediate action. Many companies’ IT and cybersecurity teams are already pushed to the maximum and tend to focus their efforts (and budgets) on decreasing current attack surfaces and clearing out the never-ending stream of alarms.
But that’s no reason to delay action. Complacency yields breaches, especially in cybersecurity. If encryption is not updated to match tomorrow’s threats, what’s to stop malicious actors from decrypting all of the non-QCR data in the future? IBM estimates a 1-in-7 chance that current encryption keys will be breakable by QC as early as 2026, and that chance skyrockets to 1-in-2 in 2031. If today’s data encryption isn’t made QCR shortly, companies could see their information harvested or held ransom, damaging an organization’s reputation and ability to operate.
The best time to upgrade your encryption is before hackers can break it with these new tools—an ounce of prevention is worth a pound of cure, as the saying goes. Part of this prevention is identifying where all essential data resides, how users or systems access it, and the encryption used to protect it. For organizations anticipating the addition of new data sources or applications to their enterprise, part of the planning and encryption selection criteria should include support for QCR encryption. In addition, companies that develop enterprise applications in-house should also update their DevSecOps pipeline to include the integration of QCR encryption to prevent potential issues and rework in the future.
Jerry Derrick is Vice President of Engineering at Camelot Secure. He leads the company’s engineering division and is responsible for the design, development, and sustainment of the Camelot Secure360 platform. Jerry’s responsibilities also include the management of the product roadmap, research and development activities, and ensuring the overall security of the platform and customer data. A cybersecurity engineering veteran of over 20 years, Jerry understands and focuses on the importance of fusing people, processes, and technology to ensure Camelot Secure360 enables organizations to know their environments are secure against the latest threats. Before joining Camelot Secure, he worked at top military and government cybersecurity organizations to develop and deploy tools and capabilities to facilitate the more efficient and effective analysis of cybersecurity data. Jerry graduated from the United States Military Academy with a BS in Computer Science and will graduate with a Master of Liberal Arts, Extension Studies (Information Management Systems), from Harvard University in the Fall of 2023.
The post Will Quantum Computing Change the Way We Use Encryption? appeared first on Cybersecurity Insiders.
It’s yet another hardware side-channel attack:
The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.
[…]
The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers”—meaning the reading of data and leaking it through a side channel—is a flagrant violation of the constant-time paradigm.
[…]
The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster—GoFetch can mine enough secrets to leak a secret key.
The attack works against both classical encryption algorithms and a newer generation of encryption that has been hardened to withstand anticipated attacks from quantum computers. The GoFetch app requires less than an hour to extract a 2048-bit RSA key and a little over two hours to extract a 2048-bit Diffie-Hellman key. The attack takes 54 minutes to extract the material required to assemble a Kyber-512 key and about 10 hours for a Dilithium-2 key, not counting offline time needed to process the raw data.
The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts. As its doing this, it extracts the app secret key that it uses to perform these cryptographic operations. This mechanism means the targeted app need not perform any cryptographic operations on its own during the collection period.
Note that exploiting the vulnerability requires running a malicious app on the target computer. So it could be worse. On the other hand, like many of these hardware side-channel attacks, it’s not possible to patch.
Slashdot thread.
[By Rebecca Krauthamer Chief Product Officer and Co-Founder of QuSecure; and Michelle Karlsberg, QuSecure Fellow]
Imagine a labyrinth, continuously twisting and turning, morphing its layout so just when you think you’ve identified a safe path, the landscape shifts. Navigating it would be a Herculean task. Welcome to the new world of cybersecurity – an ever-changing, intricate maze where new threats lurk around every corner. The biggest challenges of this digital labyrinth stem from the rise of intelligent technologies. Online hackers are our modern-day Hydra (Hydra was a many-headed monster in Greek mythology that was slain by Hercules, whose head when cut off was replaced by two others), and cutting-edge cyberattacks are their weapon of choice.
The wave that is cresting today is artificial intelligence, and right behind it is quantum computing. But these new technologies are not all evil. On the one hand, they lead to an age of unprecedented technological capabilities and advancements. On the other hand, they can be used to create brand-new threats, introducing vulnerabilities previously unimagined, leaving our current cybersecurity systems defenseless. As these threats continue to rise, one thing is clear: Our approach to cybersecurity must evolve. It’s time that we equip ourselves with advanced defenses to match these advanced threats. Organizations need to arm themselves with AI and quantum-resilient shields.
Artificial Intelligence and Advanced Threats
There is no limit to the new vulnerabilities that arise from AI and quantum computing. With each innovation and advancement, Pandora’s Box opens wider, unleashing a swarm of cryptographic threats.
One imminent threat is AI-based malware attacks. In a project to understand emerging cybersecurity threats, IBM Research developed DeepLocker in 2018. DeepLocker blends AI and traditional malware – foreseeing a dangerous threat on the horizon. According to IBM, “This AI-powered malware is particularly dangerous because, like nation-state malware, it could infect millions of systems without being detected. But, unlike nation-state malware, it is feasible in the civilian and commercial realms.” DeepLocker showed us the potential for a dangerous combination of AI and malware even back five years ago, highlighting the urgency for new, robust, and agile defenses.
Fast forward to 2023, generative AI has hit the scene and naturally hackers are already using this new technology for attacks. Today, cybercriminals are using ChatGPT and other large language models to make phishing emails and code malware. Checkpoint Research has found that, “Cyber criminals are working their way around ChatGPT’s restrictions and there is an active chatter in the underground forums disclosing how to use OpenAI API to bypass ChatGPT’s barriers and limitations.”
As we speed into the age of artificial intelligence, it’s clear that our current cybersecurity methods will not keep up. It is critical to continuously develop our defenses and remain agile to combat these emerging threats.
The Shield of Cryptographic Agility
In our ever-evolving digital labyrinth, cryptographic agility – cryptoagility for short – is a crucial defense mechanism. It gives us the capability to rapidly modify the use of cryptographic algorithms and keys, a necessary action to stay ahead of future evolving cybersecurity threats.
An example of the need for cryptoagility can be drawn from the 2014 Heartbleed Bug attacks. The bug revealed a crucial weakness, allowing attackers to read the memory of thousands of systems and steal valuable information. The companies that managed to recover quickly were those that demonstrated cryptoagility, swiftly replacing their compromised cryptographic keys and algorithms with new secure ones. This incident serves as a clear example of the importance of cryptoagility in our ongoing battle against dynamic cybersecurity threats.
Although the Heartbleed Bug has been solved, there is always a new threat on the horizon. Today, quantum is that threat that can break through all our defenses. Before all is lost, we must adopt cryptoagility to defend ourselves, available in today’s leading post-quantum cryptography (PQC) solutions. Evidence of the impending threat of quantum computing is already here, especially with techniques such as Store Now, Decrypt Later (SNDL) already in play. SNDL is a method in which encrypted data is stolen and stored until hackers can decrypt it later with a quantum computer. This signifies a looming threat. Data encrypted by today’s standards, but stored for future decryption, will be at risk since quantum computers will eventually break today’s encryption methods. Hence, SNDL is a ticking time bomb and a stark reminder of the urgency to upgrade our encryption methods to be quantum-safe. The PQC approach addresses the need for cryptoagility. With vulnerabilities such as SNDL presenting a clear and present danger, the time is now for a quantum-leap in our cryptography.
As we navigate the challenges of an emerging quantum ecosystem, using agile quantum-resilient PQC solutions is our best approach. Such agility is not just about defending against threats but also about the capability to adapt and evolve in the quantum landscape.
The Future of Cybersecurity: AI-Powered Cryptoagility
As cybersecurity threats evolve and become increasingly advanced, it’s critical to not just keep pace but stay one step ahead. Looking to the future of cybersecurity, it’s clear that the integration of artificial intelligence and cryptoagility will play a pivotal role in our defense. This combination brings a proactive and dynamic approach to combatting the rising threats posed by AI and the emerging threats of quantum computing.
One way to integrate AI and cryptoagility is through threat detection. This is done using machine learning models to identify patterns in threat behavior, thus enabling a faster and more accurate response to cyberattacks. Furthermore, these AI models can predict future attacks by extrapolating patterns from past data, allowing preemptive measures to be taken. Such a system learns from every attack it counters, continually improving its models and becoming more efficient at predicting, detecting, and countering threats. Then cryptographic keys and algorithms can be automatically updated and swapped out the moment a potential threat is predicted or detected.
AI and cryptoagility together are a continuously evolving defense mechanism that learns and grows stronger with each passing moment. The future of cryptoagility will look vastly different from today’s relatively manual processes. AI-powered cryptoagility could become a real-time, proactive and adaptive process, not a reactive one.
As we stand on the verge of the AI and quantum age, it’s clear that the digital labyrinth will only become more complex and unpredictable, with formidable digital threats akin to the many-headed Hydra or the cunning Minotaur of ancient Greek myths. We must use AI and cryptoagility to our advantage, leveraging them in the battle against cyber threats.
Today’s cybersecurity leaders are the vanguards tasked with safeguarding our most invaluable digital asset – data. By wholeheartedly adopting crypto-agile post-quantum cryptography (PQC) to defend against quantum computing cyberthreats, these leaders are not merely defending our data. They’re pioneering a resilient digital future, ushering in a cutting-edge era of cybersecurity capable of countering any threat and adeptly navigating the intricate corridors of the digital security labyrinth.
The post Navigating the Labyrinth of Digital Cyberthreats Using AI-Powered Cryptographic Agility appeared first on Cybersecurity Insiders.
Apple announced PQ3, its post-quantum encryption standard based on the Kyber secure key-encapsulation protocol, one of the post-quantum algorithms selected by NIST in 2022.
There’s a lot of detail in the Apple blog post, and more in Douglas Stabila’s security analysis.
I am of two minds about this. On the one hand, it’s probably premature to switch to any particular post-quantum algorithms. The mathematics of cryptanalysis for these lattice and other systems is still rapidly evolving, and we’re likely to break more of them—and learn a lot in the process—over the coming few years. But if you’re going to make the switch, this is an excellent choice. And Apple’s ability to do this so efficiently speaks well about its algorithmic agility, which is probably more important than its particular cryptographic design. And it is probably about the right time to worry about, and defend against, attackers who are storing encrypted messages in hopes of breaking them later on future quantum computers.
The European Court of Human Rights has ruled that breaking end-to-end encryption by adding backdoors violates human rights:
Seemingly most critically, the [Russian] government told the ECHR that any intrusion on private lives resulting from decrypting messages was “necessary” to combat terrorism in a democratic society. To back up this claim, the government pointed to a 2017 terrorist attack that was “coordinated from abroad through secret chats via Telegram.” The government claimed that a second terrorist attack that year was prevented after the government discovered it was being coordinated through Telegram chats.
However, privacy advocates backed up Telegram’s claims that the messaging services couldn’t technically build a backdoor for governments without impacting all its users. They also argued that the threat of mass surveillance could be enough to infringe on human rights. The European Information Society Institute (EISI) and Privacy International told the ECHR that even if governments never used required disclosures to mass surveil citizens, it could have a chilling effect on users’ speech or prompt service providers to issue radical software updates weakening encryption for all users.
In the end, the ECHR concluded that the Telegram user’s rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram’s position that complying with the FSB’s disclosure order would force changes impacting all its users.
The “confidentiality of communications is an essential element of the right to respect for private life and correspondence,” the ECHR’s ruling said. Thus, requiring messages to be decrypted by law enforcement “cannot be regarded as necessary in a democratic society.”
A group of South Korean security researchers have uncovered a vulnerability in the infamous Rhysida ransomware that provides a way for encrypted files to be unscrambled.
Read more in my article on the Tripwire State of Security blog.
In the realm of cybersecurity, understanding the nuances between hashing, salting, and encryption is crucial for safeguarding sensitive data. Each method serves a distinct purpose in protecting information, and grasping their disparities is essential for implementing robust security measures.
Hashing: The Digital Fingerprint
Hashing is a one-way process that transforms input data into a fixed-size string of characters, often referred to as a hash value or digest. The key characteristic of hashing is its irreversibility—once data is hashed, it cannot be reversed to retrieve the original information. This makes hashing ideal for password storage, as even if the hash is compromised, the original password remains secure.
Common hashing algorithms include MD5, SHA-256, and bcrypt. However, due to vulnerabilities in older algorithms like MD5, contemporary applications lean towards more secure options like SHA-256.
Salting: Adding a Pinch of Security
While hashing provides a strong defense against data breaches, it is not immune to attacks like rainbow table attacks, where precomputed tables of hash values are used to crack passwords. This is where salting comes into play.
Salting involves adding a unique random value (the salt) to each piece of data before hashing. The salt ensures that even if two users have the same password, their hashed values will be different due to the unique salt. This fortifies the security of hashed passwords, making them resistant to precomputed attacks.
Encryption: The Secure Communication Channel
Encryption, unlike hashing and salting, is a two-way process that involves transforming data into a cipher using a specific algorithm and a key. The key is required to decrypt the data back to its original form. Encryption is commonly used to secure data during transmission, such as in online transactions or communication.
There are two primary types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key for both encryption and decryption, while asymmetric encryption employs a pair of public and private keys. Public keys are used for encryption, and private keys for decryption.
In conclusion, hashing, salting, and encryption play distinct roles in fortifying data security. Hashing creates irreversible fingerprints for data, salting adds an extra layer of uniqueness to hashed values, and encryption safeguards data during transmission. Implementing a combination of these techniques provides a robust defense against various cybersecurity threats, ensuring the confidentiality and integrity of sensitive information.
The post Unraveling the Differences: Hashing, Salting, and Encryption Explained appeared first on Cybersecurity Insiders.
In an era where data is the lifeblood of businesses, safeguarding sensitive information has become paramount. Cybersecurity lapses have historically been a cause of data breaches, but a recent study sheds light on a new dimension of vulnerability – the lack of encryption. The Operationalizing Encryption and Key Management study, conducted by Fortanix Inc., reveals crucial insights into the state of data protection and encryption adoption.
The Study’s Key Findings:
Fortanix Inc. conducted a comprehensive study involving responses from over 400 IT professionals, compliance officers, and developers in the United States and Canada. The study emphasizes the necessity of encrypting data at rest, in motion, and while in use. While the survey indicates that encoding data does enhance overall security, it unveils a significant obstacle: a lack of awareness and understanding among respondents.
Challenges Faced:
One notable challenge highlighted by the study is that many respondents were unaware of the encryption process in compliance with prevailing information security laws. Budget constraints further compounded the issue, making it difficult for organizations to allocate resources to fulfill staffing needs dedicated to encryption implementation.
Moreover, in-house staff often lacked the necessary knowledge and expertise, resulting in complex management processes, confusion, and difficulties in adhering to security protocols. These challenges, in turn, led to an increased risk of data loss incidents.
Types of Encryption:
To bridge the awareness gap, it is crucial to understand the basics of encryption. There are two primary types: symmetric and asymmetric encryption. In symmetric encryption, a single key is used for both encryption and decryption. On the other hand, asymmetric encryption involves the use of different keys for encrypting and decrypting data, enhancing security through a more complex process.
The Way Forward:
The study underscores the importance of awareness and education in promoting the adoption of encryption practices. Companies that consider data as a critical asset must take the lead in implementing robust encryption measures. Convincing leadership and staff to allocate budgetary resources for safeguarding data at rest, in motion, and during access is essential for building a resilient security framework.
Conclusion:
As the digital landscape evolves, so do the threats to data security. The Fortanix study serves as a wake-up call for organizations to prioritize encryption as a fundamental pillar of their cybersecurity strategy. By addressing the challenges highlighted in the study and fostering awareness about encryption processes, businesses can fortify their defenses against data breaches and protect their most valuable asset – information.
The post Sensitive data loss is due to lack of encryption appeared first on Cybersecurity Insiders.