Twitter Security Pro: Encryption Isn’t Enough

Featured

Encryption can appear to be priceless when it’s absent, as it was in the recent Office of Personnel Management breach. It can appear to be costly when it’s present, as FBI director James Comey has argued. But not everything is as it appears.

Michael Coates, trust and information security officer at Twitter and global board member of the Open Web Application Security Project (OWASP), suggests encryption gets more credit than it deserves.

“Encryption is thrown around as the solution to prevent people from seeing your data,” said Coates in an interview at InformationWeek’s San Francisco office. “But if you dive into the dynamics of how data is stolen, you’ll find that encryption actually is not effective in those scenarios.”

Coates described a scenario involving a database with encrypted information. In order for a Web application to work with that database, it must decrypt the data.

“The way that data is most often compromised is through a vulnerability in the Web application … So when the attacker steals the data, that data will be unencrypted.”

Along these lines, a DHS official has asserted that encryption would not have helped in the OPM breach because the attacker had valid credentials. It may also turn out that encryption’s ability to conceal crime from the authorities is overstated.

Twitter Security Pro: Encryption Isn't Enough

Coates stopped by in his OWASP capacity in order to promote the OWASP Application Security Conference, which takes place Sept. 22 through 25 in San Francisco. The aim of the conference is to raise the bar for application security by helping individuals and organizations understand how to build better defended software.

“There’s a definite security talent shortage, so by educating more people we’re hopefully bringing more people into the fold,” said Coates.

Coates hopes the conference will provide companies with specific actions they can take to make their software more secure and with a roadmap to integrate best practices into their software development life cycle.

There are companies doing a good job with security, said Coates, citing Google, Facebook, Mozilla (where he used to work), Netflix, and Twitter (where he currently works). “The challenge is what do you say to the industry at large, to the companies in the Midwest that have one security person. … They can’t hire all these people and build custom solutions.”

Coates agrees with Google and other computer security professionals about the need for access to intrusion software, something could become more difficult if proposed export controls are adopted. “I think security engineers need both [offensive and defensive] skillsets,” he said. “Training someone how to attack software that they need to defend is vital. Anything less than that is just putting blinders on their eyes.”

At the same time, Coates is focused on providing developers with the tools and knowledge to write secure code. “We can’t just run around hacking ourselves secure,” he said. “Instead, we have to say, ‘I understand the symptom, how do I build a solution that is comprehensive and stops this problem from happening again in hundreds of applications?'”

Pointing to the way Java limits buffer overflow errors through array bounds checking and the way Python’s Django framework uses templates to prevent cross-site scripting, Coates expects some help will come through advances in programming languages that limit unsafe coding practices.

But because each application is unique and there are still so many ways to introduce vulnerabilities, Coates is pushing for security training, and for security as part of the software life cycle. “You can’t have security be this other team where you just throw things over the wall and fix stuff,” he said. “That’s a bottleneck and the business grinds to a halt. So you have to have this integrate into the life cycle and have tools that scale, because the cost of human capital for security is really high. And that’s what I see in enterprises that are doing well. They’ve found a way to minimize the human involvement and instead use highly accurate automation.”

Coates recommends that companies implement content security policies for their Web applications to defend against cross-site scripting. He also suggests using SSL everywhere and HSTS (HTTP Strict Transport Security) as defenses against man-in-the-middle attacks. He also advises use of the X-Frame-Options header, to prevent clickjacking (UI redress attacks).

“Fundamental security at the application layer and strong access controls at the enterprise layer governing who can interact with the data, those turn into the bread and butter of security,” said Coates. “And that’s where people need to spend the time.”

In The Debate Over Strong Encryption, Security And Liberty Must Win

Featured

When Sen. Chuck Grassley (R-Iowa) gaveled a Senate Judiciary Committee hearing into session on Wednesday, he called it the “start” of a conversation about privacy, security and encryption. Frankly, it was just the latest forum for a much older discussion.

While it may have been the beginning of a long day on Capitol Hill for FBI Director James Comey, the national conversation about law enforcement and strong encryption has been ongoing since the 1990s and the so-called “Crypto Wars.” While the debate now has a charged geopolitical context, includes the biggest tech companies on the planet and involves smartphone encryption, it’s not a new one.

No crytographers testified at Wednesday’s hearing. If one had been present, he or she might have told the representatives of the Federal Bureau of Investigation and the Justice Department that what they were asking Silicon Valley to develop — retaining the capacity to respond to lawful orders by providing data from computer systems with end-to-end encryption — wasn’t technically feasible in a way that didn’t fundamentally compromise the security of those systems.

If any of the 15 experts in cryptography that authored a new white paper on encryption had been called to testify, they likely would have made that case:

In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

The FBI and Justice Department may want the tech industry to “try harder” and give a “full, honest effort” to provide a technological way to provide access to encrypted information, but the tech industry isn’t biting.

“Proposals to mandate weakened encryption would undermine security and end user confidence in the Internet without any clear national security benefits,” said Abigail Slater, the vice president of legal and regulatory policy at the Internet Association.

“Strong encryption protects billions of global end users from countless privacy threats ranging from financial fraud to repressive governments stifling speech and democracy. Instead of forcing

companies to lower their security standards, policymakers should promote and protect the wide adoption of strong encryption technology.”

In his spoken testimony, Comey said, “There is no such thing as secure: There’s only more secure and less secure.”

Of that, there is no doubt. “Split key encryption,” where digital master keys to unlock encrypted data or systems are held in escrow, is less secure, just as it was when government officials proposed it nearly two decades ago.

The Justice Department and FBI may want to have a debate on encryption, but they’ve been dealt a losing hand at this table.

As law professor Peter Swire testified later in the Senate hearing, the review group on intelligence and communications technologies that President Barack Obama convened in August 2013 unequivocally recommended supporting strong encryption in its report on liberty and security later that year:

The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.

That conclusion is anything but isolated, as Kevin Bankston, the director of the Open Technology Institute at the New America Foundation, pointed out in an essay Tuesday:

…the broad consensus outside of the FBI is that the societal costs of such surveillance backdoors — or “front doors,” as Comey prefers to call them — far outweigh the benefits to law enforcement, and that strong encryption will ultimately prevent more crimes than it obscures.

Tech companies, privacy advocates, security experts, policy experts, all five members of President Obama’s handpicked Review Group on Intelligence and Communications Technologies, UN human rights experts, and a majority of the House of Representatives all agree: Government-mandated backdoors are a bad idea. There are countless reasonswhy this is true, including: They would unavoidably weaken the security of our digital data, devices, and communications even as we are in the midst of a cybersecurity crisis; they would cost the US tech industry billions as foreign customers — including many of the criminals Comey hopes to catch — turn to more secure alternatives; and they would encourage oppressive regimes that abuse human rights to demand backdoors of their own.

Bankston is no zealot, nor has he impugned the honor, intentions or distinguished public service record of Comey, who has notably stood on the side of civil liberties in his career.
What Bankston and many others are saying, and have been saying for years, however, is that protecting the privacy of citizens from those who would do them harm or steal from them is now intrinsically bound to encrypting devices, communications and data.

That’s true whether for cellphones, email, health records, tax transcripts or the of  tens of millions of public servants.

This isn’t a competition between privacy and security or a choice between opposing value systems: it’s security and security, and on the line is the capacity of democratic societies to do investigative journalism, engage in digital commerce or securely make transactions with government.

It’s fair to acknowledge that the FBI may have a diminished capacity to conduct some investigations as a result, but in striking an appropriate balance between safety and liberty, that is sometimes the outcome.

Microsoft Windows also vulnerable to ‘FREAK’ encryption flaw

Featured

Microsoft Windows also vulnerable to 'FREAK' encryption flaw

Computers running all supported releases of Microsoft Windows are vulnerable to “FREAK,” a decade-old encryption flaw that leaves device users vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw was previously thought to be limited to Apple’s Safari and Google’s Android browsers. But Microsoft warned that the encryption protocols used in Windows — Secure Sockets Layer and its successor Transport Layer Security — were also vulnerable to the flaw.

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft said in its advisory. “The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industrywide issue that is not specific to Windows operating systems.”

Microsoft said it will likely address the flaw in its regularly scheduled Patch Tuesday update or with an out-of-cycle patch. In the meantime, Microsoft suggested disabling the RSA export ciphers.

The FREAK (Factoring RSA Export Keys) flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use intentionally weakened encryption, which they were able to break within a few hours. Once a site’s encryption was cracked, hackers could then steal data such as passwords, and hijack elements on the page.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including Windows and the web browsers.

“The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor,” Matthew Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, wrote in a blog post explaining the flaw’s origins and effects. “This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today.”

Which File Encryption Software is Better?

To encrypt a file, people wrack their brains from hiding files to encrypting system files and DOS commands encryption, even professional encryption software. Which file encryption software is better? Best Encryption Expert is a proper choice.

1. Security
In terms of file encryption software, there is no doubt that security is the most important element. If a file encryption software’s security doesn’t have a high security level, it may be lead to the data leak unconsciously. For any user, it may bring about serious consequences.
Best Encryption Expert adopts advanced algorithms and reaches highest possible security level make your data impregnable. The encryption speed is so rapid that it can reach 25-50M/s.
2. Usability
As for file encryption software, whether the encryption and decryption process can automatically carry on is an important indicator judging the usability of encryption software. The early encryption software carries on encryption and decryption in the dedicated software windows. The later encryption software starts to integrate file encryption and decryption into Explorer’s right-click menu, which promotes the usability of software.
To using Best Encryption Expert to encrypt files, all you need to do is selecting the encrypting file and clicking right button, which make encryption and decryption operation easy.

Best Encryption Expert developed by Luoyang Xiabing Software Technologies Ltd, adopting advanced algorithms keeps you independent of information leak. However, the high security level doesn’t mean that its operation is complicate. Best Encryption Expert helps you get rid of the weak usability of encryption software. Best Encryption Expert will be your preferred choice to protecting individual privacy.

Which File Encryption Software is Better?

Abstract of Best Encryption Expert:
Best Encryption Expert is an excellent file/folder encryption software. It can encrypt file/folder and hard disk. Except highest possible security level and rapidity, Best Encryption Expert boasts of folder disguise, folder hide, shred data etc. functions, which make your data impregnable.