17 C
London
Friday, September 22, 2017
Home Tags Confidentiality

Tag: Confidentiality

A vulnerability in the Cisco FindIT Network Discovery Utility could allow an authenticated, local attacker to perform a DLL preloading attack, potentially causing a partial impact to device availability, confidentiality, and integrity. The vulnera...
Tesla says the allegations are "without merit."
A vulnerability in the web-based management interface of the Cisconbsp;Smart Net Total Carenbsp;(SNTC) Contracts Details Page could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which...
Sodium bicarbonate is used in a variety of treatments but is inexplicably scarce.
Security threats are constantly evolving, but as Verizon's latest DBIR (Data Breach Investigations Report) shows, the more things change in information security, the more they stay the same.More than half (51 percent) of the data breaches analyzed i...
Confide: "The accusations set forth in the complaint are unfounded and without merit."
Wikileaks’ CIA dump is the biggest secret cache released so far.
It’s embarrassing to the CIA.
It undermines our intelligence efforts.

And it didn’t need to happen. The sad fact is that the world’s computers are not configured securely enough to match the confidentiality of the data they are protecting.

As a society we allow our computers to languish in a state that almost invites attackers to access them—even at the CIA, apparently.[ Watch out for 11 signs you’ve been hacked—and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ] That may finally be changing, though remediation has been slow to roll out.
In my view, the tipping point was the Sony hack, which was so embarrassing and costly that it scared execs in a way that the Target, Home Depot, and Office of Management and Budget hacks did not.To read this article in full or to leave a comment, please click here
Independent assessment of SOC 2 Type 2 compliance demonstrates vendor’s continued commitment to protecting customers and their data securityLONDON, February 21, 2017 – NewVoiceMedia, a leading global provider of inside sales and contact centre technology that helps businesses sell more, serve better and grow faster, has successfully completed a Service Organisation Controls (SOC) 2 Type 2 examination based on the trust principles of security, availability and confidentiality.

Accountancy firm PricewaterhouseCoopers (PwC) performed a rigorous audit... Source: RealWire
There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles.
Another shot at spook-proofing e-mail It's taken longer than first expected, but the first fruits of Lavabit founder Ladar Levison's Dark Mail Technical Alliance have landed with the relaunch of the encrypted mail service he closed in 2013. After shuttering Lavabit, Levison joined hands with Silent Circle to form the DMTA and promised Lavabit would flow again in 2014. In 2015, Levison posted a GitHub repository putting forward a protocol to support fully “dark” e-mail: the Dark Internet Mail Environment, or DIME, which has “multiple layers of key management and multiple layers of message encryption”. The Libdime implementation offered both libraries and command line utilities, which is, after all, doing it the hard way: Lavabit Mark II puts that in the hands of users with the also-open-source Magma Webmail server implementation. The Lavabit mail server, Magma first appeared on GitHub in 2016. Levison writes “DIME provides multiple modes of security (Trustful, Cautious, & Paranoid) and is radically different from any other encrypted platform, solving security problems others neglect.

DIME is the only automated, federated, encryption standard designed to work with different service providers while minimising the leakage of metadata without a centralised authority.

DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology.” So what's in the protocol? Let's look at the specification, published here (PDF). DIME's message flow.
Image: The Dark Mail Technical Alliance You don't get perfect security while you've still got wetware involved.

The DIME document notes that if a user has a weak password or bad endpoint security, all bets are off. Within that constraint, the DMTA says DIME's designed to provide “secure and reliable delivery of email, while providing for message confidentiality, tamper protection, and a dramatic reduction in the leakage of metadata to processing agents encountered along the delivery path”. At the top level, the four components of the system architecture are e-mail clients; privacy processing agents; key stores (with a resolver architecture to retrieve keys, in DIME called “signets”); and the encrypted message objects. To most users, The Register will assume the only new concept here is the privacy processing agent (PPA).

There are two kinds, the organisational PPA, and the user PPA. The Organisation Privacy Agent (OPA) talks to both user e-mail clients and the Internet at large, handling user key management to create “a secure transit channel that hides all information about the message using transport layer security”.
It also “provides access to the envelope information needed for immediate handling.” The User Privacy Agent (UPA) handles user-side crypto functions, and can reside in the user's e-mail client or, in Webmail implementations, on the server. DIME has three modes of operation: Trustful – the user trusts the server to handle privacy; Cautious – the server stores and synchs encrypted data, including encrypted copies of private keys and messages.

Encryption can be carried out inside a user's browser; Paranoid – the server never sees a user's keys.

There's no Webmail, and if you want to use multiple devices, it's up to you to synch them across different keyrings. In technical terms, that means the system has to automate all aspects of key management; encrypt and sign messages without a user having to learn how to run it; and resist manipulation (including, ideally, even if a client is compromised. The layering of encryption, the standard says, is designed to protect messages, even if (for example) a server along the way is compromised. DIME relies on a concept of “signets” for keys: organisational signets, which are keys associated with a domain; and user signets, the key associated with an individual e-mail address. “The basic validation model is to obtain a signet from a credible primary source and then confirm it with another pre-authenticated source.

The two pre-authenticated sources currently available are a management record signed using DNSSEC or a TLS certificate signed by a recognised Certificate Authority (CA).

Both can be cryptographically traced by a signet resolver back to a trusted key that is shipped with the resolver. As well as the Webmail version, Lavabit says it wants to develop clients for Windows, Mac OS and iOS, Linux and Android. ® Sponsored: Customer Identity and Access Management
Someone's keeping the neckbeards in Doritos Knock knock. Who's there? This Wednesday, officers from the City of London Police's Intellectual Property Crime Unit (PIPCU) trying to get your advertising agency to stop helping pirate sites generate revenue. Eight organisations – from influential brands, through to advertising agencies and ad networks – got a polite visit from the boys in blue this week as as part of a multi-agency initiative to get the creative industries to assist in the fight against piracy. Dubbed Operation Creative, the project was launched in 2013, and according to the police it "compromises several tactical options, including placing piracy sites on an Infringing Website List (IWL) which is then shared with advertisers, agencies and other intermediaries so that they can cease advert placement on these illegal websites." According to the Digital Citizens Alliance, piracy sites generate $227m from advertising alone, and advertisers have become the cops' target in attempting to deconstruct the criminal syndicates behind their operation. During the visits, the companies were "made aware of their involvement in the placement of ads on copyright infringing sites", according to the City of London police, although whether they were at risk of being considered complicit in crime is not clear. The bobbies said that all eight organisations visited were keen to support Operation Creative and have pledged to sign up to the IWL to ensure advert placement from their brand and clients do not appear on the 1,232 websites that it lists. Since its launch, Operation Creative has claimed to have seen a significant decrease (73 per cent) in advertising from the UK's top ad spending companies to websites involved in online forms of piracy. The City of London police declined to identify those "top ad spending companies" to The Register on confidentiality grounds, nor was it able to explain how much of the market share those companies' comprised.

The monetary value of the figure of 73 per cent was also unavailable. Operation Creative's lead officer, Detective Constable Steven Salway, said: "It is important we tackle this issue, not only for brands and businesses' reputation, but for consumers too. When adverts from established brands appear on these sites, they lend them a look of legitimacy.

By working with industry to discourage reputable brands from advertising on piracy sites, we will help consumers realise these sites are neither official nor legal." Director General of FACT, Kieron Sharp, said: "Consumers need to be aware that not only are the criminals behind these websites making substantial amounts of money from adverts, but simply visiting the sites can put the public at risk of malware, viruses and click-through scams." ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub
EnlargeGetty Images/Urich Baumgartgen reader comments 4 Share this story Online messaging services such as WhatsApp, Skype, and Gmail face a crackdown on a "void of protection" that allows them to routinely track the data of EU citizens without regulatory scrutiny—and it could be bad news for ad sales. On Tuesday, officials in Brussels proposed new measures to curb Silicon Valley players who—up until now—have been largely immune from the ePrivacy Directive, which  requires telecoms operators to adhere to the rules on the confidentiality of communications and the protection of personal data. As part of its planned overhaul, the European Commission, the executive wing of the European Union, said that it planned to beef up the measures by switching from a directive to a "directly applicable regulation" to ensure that the bloc's 500 million citizens "enjoy the same level of protection for their electronic communications." It claimed that businesses would also benefit from "one single set of rules." Over-The-Top services such as Facebook's WhatsApp and Google's Gmail can all but ignore the EU's existing rules.

The commission said that this needed to change: Important technological and economic developments took place in the market since the last revision of the ePrivacy Directive in 2009.

Consumers and businesses increasingly rely on new Internet-based services enabling inter-personal communications such as Voice over IP, instant messaging, and Web-based e-mail services, instead of traditional communications services... Accordingly, the Directive has not kept pace with technological developments, resulting in a void of protection of communications conveyed through new services. The EC is also planning to kill the heavily ridiculed cookies consent pop-up system.
It said, in an embarrassing—if long overdue—climbdown that users would be given more control to allow or prevent websites from tracking them depending on "privacy risks." Last summer, a big coalition of tech firms lobbied for the cookie law to be scrapped. Under the new proposal, the commission said: "no consent is needed for non-privacy intrusive cookies improving Internet experience (e.g. to remember shopping cart history).

Cookies set by a visited website counting the number of visitors to that website will no longer require consent." But it could also hit the bottom line of Facebook, Google, and chums because tracking consent may be harder to obtain if lots of users reject third party cookies.

The commission said that, following public consultation on the issue, 81.2 percent of citizens agreed that obligations should be imposed on "manufacturers of terminal equipment to market products with privacy-by-default settings activated." It also warned that "additional costs" could hit some Web browser makers because they would be required to develop software with privacy settings built in. The new proposals also call on consent to process electronic communications metadata, such as device location data to allow for the "purposes of granting and maintaining access and connection to the service," the commission said.
It means that telcos "will have more opportunities to use data and provide additional services." Translation: new ways to make more cash. Companies that flout confidentiality of communications rules face fines of up to four percent of their global annual turnover, under the commission's planned e-privacy measures—the same penalty that will be dished out to firms that violate the EU's General Data Protection Regulation, which comes into action in April 2018. "The European data protection legislation adopted last year sets high standards for the benefit of both EU citizens and companies," said EC justice chief Věra Jourová. "Today we are also setting out our strategy to facilitate international data exchanges in the global digital economy and promote high data protection standards worldwide." But the latest proposals cannot become law until the bloc's 28 member states and the European Parliament agree to wave them through—leaving plenty of wiggle room for industry lobbying. Separately, the commission is seeking views from the public on how to best tackle data mining as part of its Digital Single Market strategy. This post originated on Ars Technica UK