Wednesday, July 10, 2013

Encryption Merits Can Be Exaggerated


Encryption Merits Can Be Exaggerated
Encrypted data at some point has to be decrypted for use, and that's where the security of the system can break down. That's not the only risk, however. "If a service provider holds the keys and someone comes knocking on the door with a lawful request ... the enterprise would not know that its information has been handed over," said PrivateCore's Vice President for Marketing Todd Thiemann.

  
Encryption combined with cloud storage has been hailed as a highly secure way for organizations to protect their data from Net marauders, but their value may be overstated, contend two security pros.
While encrypting data is better than not encrypting it, where it's decrypted can be an important security consideration, said Steve Weis, CTO and cofounder of PrivateCore.
Data at rest that's been encrypted has strong protection. It's when the data has to be decrypted for use with applications that it can become vulnerable.
"If a company processes that data in the cloud or with an off-premises service provider, then the keys to that encrypted data can be exposed," Weiss told TechNewsWorld. "If those keys are compromised, their stored data can be compromised."
That's not a problem for organizations encrypting their data locally because the keys remain in their possession. However, "what we're seeing more and more are enterprises doing decrypting closer to where the data is," Weiss observed. "That means storing it and processing it in the cloud."
"To do that, they need to give the decryption keys to a server that's in the cloud," he continued. "The keys aren't being stored anywhere. They're being used in memory, but the memory is vulnerable to someone who has access to the machine."
  

Government Intrusions

Hackers and malicious insiders aren't the only ones who may be able to compromise a company's encrypted data. If an organization doesn't have control of the encryption keys for its data -- a common scenario when using large service providers like Amazon, Microsoft and Google -- law enforcement or spy agencies may be able to legally access it.
"If a service provider holds the keys and someone comes knocking on the door with a lawful request, the service provider is going to have to respond to that, and the enterprise would not know that its information has been handed over," PrivateCore's Vice President for Marketing Todd Thiemann told TechNewsWorld.
A savvy government agency could break into an organization's encrypted data, even when the organization has control of its encryption keys.
If the encrypted data is stored with a service provider and the company wants to work with data online, it would have to unlock the data in the memory of one of the provider's servers. A snapshot can be taken of the data in that unlocked state.
"A lawful request could be made to snapshot the data," Thiemann explained, "and from that snapshot, you can get at the underlying encrypted data."

Threat Trends

With half the year gone, cyberthreat trends are beginning to shape up for security pros. McAfee, for example, is seeing many hackers return to old ways.
"Many of the significant trends of the previous year went into remission, and older types of attacks, or retro-malware, grew significantly," McAfee Messaging Data Architect Adam Wosotowsky told TechNewsWorld.
Global spam, including the resurrection of pump-and-dump stock schemes, increased for the first time in three years, he added.
Another trend identified is the growth of storage stack attacks, also known as "master boot record" attacks.
"These attacks infect a machine's storage system and take control of the entire device," Wosotowsky said. "These MBR attacks have increased more than 30 percent so far this year."

Democratization of Malware

Social networks continued to become a fertile area for Net bandits.
"Hackers will take over a social networking account and use the contacts for that account to distribute malware as a trusted person," George Tubin, a senior security strategist with Trusteer, told TechNewsWorld.
"You're more likely to click on a link if a friend embeds a link in a tweet," he added.
Cybercriminals have been expanding their target pool beyond banks and into the enterprise and e-commerce, noted Tubin.
"That has to do with banks -- especially larger banks -- getting better at blocking some of these attacks," he said.
Also during this year, the democratization of the malware industry has become increasingly apparent, added JD Sherry, vice president of technology and solutions at Trend Micro.
"The shadow economy has created quite the black market for malware," he told TechNewsWorld. "It's allowed cybercriminals and miscreants to be able to acquire those assets easily, hence democratizing their production and distribution."

Breach Diary


  • June 29. Spam attack on Instagram uses compromised accounts to post fruit photos with links to a dieting Web page on a BBC website. Links were clicked on by more than 30,000 users before the image sharing service addressed the problem.

  • June 30. Ubisoft, a game maker whose stable includes Assassin's Creed, alerts users of a data breach and recommends they change their passwords. Information illegally accessed includes an estimated 58 million user names, email addresses and encrypted passwords. No payment information was stolen because the company doesn't retain that data.

  • June 30. Office of the president of South Korea reveals that personal information of 100,000 people registered with the office's website was breached. Information compromised includes names, birthdates, identification numbers, offline addresses and IP addresses. It's believed that passwords and their registration numbers -- the equivalent of U.S. Social Security numbers -- were not compromised because they were encrypted.

  • July 1. California Attorney General releases first annual data breach report showing 131 breaches in 2012 affecting 2.5 million consumers in the state.

  • July 1. Andrew Auernheimer, sentenced to 41 months in federal prison for breaching AT&T computers and exposing users of the iPad at the time Apple first introduced the tablet, appeals conviction.

  • July 1. Indiana Family and Social Services Administration notifies 187,533 clients that their personal information may have been compromised due to a programming error by a contractor. Information that may have been disclosed includes name, address, case number, date of birth, gender, race, telephone number and email address; types of benefits received, monthly benefit amount and employer information; some financial information such as monthly income and expenses, bank balances and other assets; and certain medical information such as provider name, whether the client receives disability benefits, and medical status or condition; and certain information about the client's household members like name, gender and date of birth. In addition, 3,926 clients may have had their Social Security Numbers disclosed.

  • July 2. AppRiver releases Global Threatscape report for first six months of 2013. In compiling the report, the company screened more than 15 billion messages, of which 13 billion were spam and 171 million carried viruses.

Upcoming Security Events


  • July 10. Getting Your Session Proposal Accepted for RSA 2014. 1 p.m. ET. Webcast. Free.

  • July 11. Inside the Mind of a Hacker. 1 p.m. ET. Webinar sponsored by WatchGuard. Free.

  • July 17. Accelerate Your Cloud Strategies: Strategies for Securing, Optimizing and Controlling the Cloud. 1 p.m. ET. Webinar sponsored by Akamai Technologies. Free.

  • July 24. Cyber Security Brainstorm. Newseum , Washington, D.C. Registration: non-government employees US$495; July 24, $595.

  • July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: June 1-July 24, $2,195; July 25-Aug. 1, $2,595.

  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.

  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.

  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros+VAT delegate/495 euros+VAT one day pass; Discount from July 27 -Sept. 27, 995 euros+VAT delgate/595 euros+VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; On site from Oct. 28-31, 1,295 euros+VAT.

  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.


John Mello is a freelance technology writer and former special correspondent for Government Security News.

No comments:

Post a Comment