​Symantec warns encryption and privacy are not the same


“Encryption and privacy is not the same thing,” said Nick Savvides, Symantec APAC cybersecurity strategy manager.

Encryption is a privacy “enhancing tool”, Savvides went on to explain, while privacy is more about handling what information is collected, how the collected information is handled, and what other data can be derived from it. The two are often confused because they are related: Encryption is used to maintain privacy.

Savvides said that unfortunately most websites do not use encryption, highlighting the company’s most recent Internet Threat Security Report, which revealed that 97 percent of active websites do not have any basic security and 75 percent have unpatched vulnerabilities, with 16 percent of those being critical.

Meanwhile, the remaining 3 percent of active websites with security are banks and corporate businesses, according to Savvides.

He said the IT security community often blames “lazy” users for the lack of encryption. However, he said the real hindrance is the complexity that is involved with encryption, and it’s often something that users expect to be provided with.

“They don’t do [encryption] because it’s hard; they only do it when they absolutely have to,” he said.

He pointed out that iMessage, Apple’s built-in instant messaging service, and more recently mobile messaging app Whatsapp, are two examples of where end-to-end encryption is provided, and not something that users have to actively go seek.

In turn, the security company has extended its partnership program, Encryption Everywhere to Australia, which is already live in North America and Europe. The program falls under Symantec’s goal to achieve 100 percent encryption for all websites globally by 2018.

Under the Encryption Everywhere program, Symantec has initially partnered with WHMCS and cPanel to hand out domain-validated TLS/SSL certificates for free, before taking a multi-tier paid model approach.

“We’d like to see broader base encryption utilised across the world, across the internet. Whether it’s ours or somebody else’s, we’d like to see it adopted because it will make the internet a safer place, free from prying eyes,” Savvides said.

Survey findings from Norton by Symantec released on Tuesday indicated that online threats will not be slowing, particularly with the proliferation of the Internet of Things.

The survey showed that while almost two thirds of Australians use at least one mobile app to manage their finances or control other connected devices, 66 percent do not have security software on their smartphones, and 33 percent choose not to have a password or PIN on these devices.

Despite this, 61 percent of Australians admitted that they would be upset if their financial information was compromised.

According to Mark Gorrie, Norton by Symantec APAC director, as the smartphone becomes a central control hub and a “gateway” to other devices, the onus is on both the vendor and the user to ensure security is top of mind. Gorrie, however, pointed out that historically, vendors have always seen security as an afterthought, but indicated that it has improved more recently.

“Vendors should be taking seriously because it is such a big issue. We see the threats just keep growing every year, and just won’t give up because it’s a profitable business for a lot of people. There is definitely a responsibility security should rank highly on the devices vendors are releasing, but equally people have to be proactive to help themselves,” he said.

Paris attacks reignite debate over encryption,surveillance and privacy


Paris attacks reignite debate over encryption,surveillance and privacy

WASHINGTON — Friday’s terrorist attacks in Paris have revived the debate over whether U.S. tech companies should be required to build “backdoors” into encrypted phones, apps and Internet sites to let law enforcement conduct surveillance of suspected terrorists.

There has been widespread speculation among law enforcement authorities and the media that the Islamic State terrorists who attacked Paris were using some kind of encryption technology to communicate. However, American and French authorities have said there is no hard evidence to back up that assumption.

Still, the possibility has been enough to renew criticism of commercial encryption, putting pressure on U.S. companies that are increasingly using the technology to thwart hackers and reassure customers that their data will be kept private.

“When individuals choose to move from open means of communication to those that are encrypted, it can cause a disruption in our ability to use lawful legal process to intercept those communications and does give us concern about being able to gather the evidence that we need to continue in our mission for the protection of the American people,” Attorney General Loretta Lynch told the House Judiciary Committee Tuesday.

Lynch said the FBI and other Justice Department agencies work with Internet providers to try to find a way to enforce court orders to conduct surveillance of suspected terrorists. However, companies are increasingly employing encryption that even they cannot break to access their customers’ data.

In those cases, federal agents use other types of surveillance and intelligence-gathering tools, Lynch said.

“But it (encryption) does cause us the loss of a very valuable source of information,” she told the committee.

Despite strong criticism of encryption by the FBI, the White House announced in October that it would not seek legislation to force U.S. tech companies to build backdoors to let law enforcement get around the technology to access people’s messages and other information.

National Encryption Policy: Not just privacy, but also feasibility and security are at risk


National Encryption Policy: Not just privacy, but also feasibility and security are at risk

Encryption is an important aspect which governs not just the communications but also the storage. When data is in motion there are some methods/ protocols which facilitate end-to-end encryption:

1. VPN

2. Remote Server Connectivity viz. RDP, SSH

3. Internet based Voice/ Messaging Communications

4. email communication

5. Communications between Wearables and their Host devices

6. Web-Services providing encryption services viz. Etherpad, Gist

However, when it concerns data at rest ie. data stored on the disk, there are numerous scenarios which fall under the purview of encryption:

1. On the Fly Disk Encryption which may also include the entire OS

2. Password protection of files

3. email Message Encryption

4. Full disk-encryption by Smartphones

Recently, Government of India released its version of Draft for National Encryption Policy and within 24 hours of releasing it, they have withdrawn it, however with a promise the policy will be re-drafted and re-released.

In these 24 hours, all those involved in IT security of the Indian Internet Security forum took up the cause of protecting user privacy, reprimanding the government for ill conceived draft of National Encryption Policy. Their efforts resulted in forcing the government to revoke the draft proposal and contemplate on a better proposal.

According to the draft, B2B/ B2C and C2B, sector shall use encryption algorithms and key sizes as prescribed by the government, moreover, according to the draft:

“On demand, the user shall be able to reproduce the same Plain text and encrypted text pairs using the software/ hardware used to produce the encrypted text from the given plain text. Such plain text information shall be stored by the user/ organization/ agency for 90 days from the date of transaction and made available to Law Enforcement Agencies as and when demanded in line with the provisions of the laws of the country.”

Furthermore, the draft also issued guidelines for communication with foreign entity, “the primary responsibility of providing readable plain-text along with the corresponding Encrypted information shall rest on entity (B or C) located in India.”

The draft policy requires service providers whether irrespective of their country of origin to enter into an agreement with the Government of India and the consumers of these services (Government/ Business/ Citizens) are expected to provide the pain-text/encrypted datasets.

The question is not why, but how would it be technically feasible for a customer to maintain this information, given the fact that encryption was used to secure the data from rogue entities. Storing anything in plain-text for any amount of period, defeats the entire purpose of using encryption except with a solace that the channel used for transmission of data is secured. The draft has set very high and impossible to achieve expectations from every citizen and organization, irrespective of their field of expertise to have knowledge about the internal working of these third party applications, also at the same time they are expected to have knowledge about maintaining the two different data-sets.

Furthermore, the draft also requires anything that has been encrypted by an individual be it his personal documents or communication between two individuals, which interestingly is considered to be a private affair by the rest of the world, to be made available for scrutiny as and when demanded.

Expecting a consumer of various services, irrespective of the fact whether the consumer is an organization or an individual, to understand the internal functionality of each and every service / software and take a conscious decision of maintaining the two separate data-sets is simply not feasible and virtually impossible.

Even though a clarification was issued by the government that

The mass use encryption products, which are currently being used in web applications, social media sites, and social media applications such as Whatsapp, Facebook, Twitter etc.
SSL/TLS encryption products being used in Internet-banking and payment gateways as directed by the Reserve Bank of India
SSL/TLS encryption products being used for e-commerce and password based transactions.

It still raises quite a few eyebrows especially about the intention of the drafting of this National Encryption Policy. Not just the privacy, but also the feasibility and the security are at risk.

The argument until now was about data which resides on your disk, and using these very standards what can we say about the encrypted communication channels/ services? One word summarizes it all “Impossible”. Over the network encryption like VPN/ SSH or to put it simply cloud based services be it of any-type, which lately have made inroads into our lives would be rendered useless and their very existence in India is at risk, not just because it would have been mandatory for all of them to enter into an agreement with the Government of India, but the consumers of these services will also have to maintain a separate copy of the content.

Applications and Service providers who provide Secure Messaging ie, encrypting the voice channels or self-destructing messages, in order to provide better privacy and discourage eavesdropping, would in all probability get banned or might have to remove these features so as to cater to Indian audience. Over and above, how do the policy-makers expect the consumers to comply?

What happens when a person from a different country uses these services in India? Wouldn’t this person be violating the Indian Law and in all probability be considered a criminal?

The draft also requires all the stakeholders to use Symmetric Cryptographic/Encryption products with AES, Triple DES and RC4 encryption algorithms and key sizes up to 256 bits.

Way back in 2011 when Microsoft Researchers discovered a way to break AES based encryption, Triple DES is considered weak, while RC4 is simply not acceptable as an encryption algorithm to any organization. These are age-old encryption algorithms and are never/rarely considered when organizations are drawing up their own encryption policies.

In this age of competition, organizations have their own trade secrets to be guarded, not just from competitors but also from rogue governments. A weakened encryption schema and mandatory storage of encrypted data in its plain text form is nothing less than committing a Harakiri for these organizations. Moreover, by way of an agreement that draft expects the software/ hardware vendors to comply with these encryption restrictions, thereby weakening the overall security of India’s IT infrastructure.

National Encryption Policy should be about setting up of minimum encryption standards for data protection, penalization organizations and institutions for not implementing high encryption standards and protecting the data from pilferage and leakage.

Encryption policy has always had a direct impact on the privacy of an individual and when it used by corporations/ organization, it affects their business/ trade secrets; hence Government should also consider thinking about the various means and ways of implementing/ strengthening the non-existent privacy laws.

As we have been promised that the policy would be re-drafted, let us keep our fingers crossed and hope that better sense prevails.

Jeb Bush: encryption makes it too hard to catch “evildoers”


Jeb Bush: encryption makes it too hard to catch "evildoers"

Bush, the former governor of Florida, said Tuesday that encryption “makes it harder for the American government to do its job.”

That job would be, according to Bush, “making sure that evildoers aren’t in our midst,” echoing a phrase frequently used by his brother President George W. Bush to describe the threat of radical Islamic terrorism.

If you create encryption, it makes it harder for the American government to do its job – while protecting civil liberties – to make sure that evildoers aren’t in our midst.

Governor Bush’s comments were delivered at a forum hosted by a lobbyist group called Americans for Peace, Prosperity and Security (APPS) with close ties to military contractors, that is pushing presidential candidates to adopt “hawkish positions,” according to The Intercept.

(APPS’s advisory board includes members of what you might call the National Security establishment – including a former national security advisor to George W. Bush and a former CEO of BAE Systems. Its honorary chair is Mike Rogers, formerly the chairman of the US Congress’s Permanent Select Committee on Intelligence.)

Bush also advocated for wide latitude for the NSA to continue collecting phone metadata, although the NSA’s surveillance powers over Americans have been curtailed by Congress.

There’s “no evidence” that the NSA abused its powers or infringed on civil liberties of Americans, Bush said.

In fact, Bush said, in the clash of surveillance and civil liberties, “the balance has actually gone the wrong way” – meaning that civil liberties have too much weight.

There’s a place to find common ground between personal civil liberties and NSA doing its job. I think the balance has actually gone the wrong way.

While some US officials have advocated for technology companies to give law enforcement backdoors to read encrypted data, many security experts and tech companies say such a move would jeopardize security for everyone.

Others have pushed for some sort of middle ground, such as a multi-part encryption key that would keep encryption safeguarded by multiple agencies or companies holding part of the key.

Bush falls into this middle ground category, saying at the APPS forum that Silicon Valley companies (like Google and Apple) should cooperate with the government.

We need to find a new arrangement with Silicon Valley in this regard because I think this is a very dangerous kind of situation.

In response to Bush’s comments, some in tech and media suggested that Bush doesn’t really understand encryption.

Andrew Wooster, co-founder of a Seattle mobile software company, tweeted:

Jeb Bush: encryption makes it too hard to catch "evildoers"

The presidential politics of cybersecurity

As the 2016 US presidential election contest has heated up this summer, we’re reminded that cybersecurity isn’t just about technology, it’s also about policy – and that makes it highly political.

It’s still quite early in the election cycle, but cyber issues have taken up a good bit of the debate so far.

At a 6 August Republican debate, two contenders – Governor Chris Christie and Senator Rand Paul – clashed on NSA powers, with Christie claiming that the government needs “more tools” for fighting terrorism, and Paul arguing that the US Constitution requires a warrant for collecting data from Americans.

On the Democratic side, former Secretary of State Hillary Clinton has largely avoided the issue of NSA surveillance, while her chief rival, Senator Bernie Sanders, has called the NSA activities exposed by leaker Edward Snowden “Orwellian” and “clearly unconstitutional.”

Beyond encryption and surveillance, the cyberthreat from China has also taken up a lot of air time, with Republican candidates Mike Huckabee and Marco Rubio calling for retaliation against China over its presumed involvement in cyberattacks on the US government.

Clinton didn’t go as far as Huckabee or Rubio, but talked up the threat of Chinese economic espionage in a speech last month in which she also claimed that China wants to hack “everything that doesn’t move in America.”

A lot of important policies affecting privacy and security of Americans – and others around the world – will be decided by the next US president.

If you care about any of these issues – encryption, surveillance and the powers of law enforcement; privacy rights; government oversight of the internet and telecommunications; and laws that affect everything from data breach liability, to the rights of security researchers to hack things – it’s time to tune in and make your voice heard.