Historically, Apple’s WWDC keynotes have had a predictable cadence — spotlight a handful of new OS features, flash a word cloud with 40 more highlights on screen for a minute, and move on. But this year, Apple’s keynote presenters rushed through almost all their feature reveals and notably left a fairly big one out:CryptoKit, a new Swift developer framework that can compute, evaluate, and compare keys, store keys in a device’s Secure Enclave, and generate keys for encryption and authentication.
While Apple’s long-term goals for CryptoKit are somewhat ambiguous, blockchain applications are clearly on its radar. During a mid-week WWDC presentation, Apple’s Yannick Sierra jokingly opened his “Cryptography and Your Apps” talk by referring to it as the “Bitcoin session,” though the talk focused almost exclusively on less exciting uses, such as encrypting hiking app data.
At least for now, Apple appears to be mostly focused on helping developers more easily navigate the increasingly complicated minefield of cryptography challenges and enabling them to make use of user-authenticated Secure Enclaves. CryptoKit supports 256-, 384-, and 512-bit SHA-2 secure hashes, as well as NIST P-256, -384, and -521 signatures and X25519 keys.
But opportunities for developers to experiment with more secure and less resource-demanding blockchain wallets appears to be in the cards. In online documentation, the company tells developers to “prefer CryptoKit over lower-level interfaces,” noting that the new framework will free apps from managing raw pointers and automate security tasks, such as overwriting sensitive data during routine device memory management operations. In a possibly related move, the company also added Bitcoin symbol support to its San Francisco system font for the first time.
Though presenters at the “Bitcoin session” openly suggested that CryptoKit is an early step toward some ambiguous larger purpose, it is far short of a deep dive into the cryptocurrency world for Apple. Even during the tech world’s most feverish period of obsession with cryptocurrencies, Apple publicly said almost nothing on the topic, leaving traders to speculate — often wildly and incorrectly — about its plans. Its silence was such that one brief mention of its involvement indrafting blockchain guidelines for responsible mining led to speculation that the company might begin actively embracing cryptocurrencies. At this point, that unlikely prospect now appears to be on the horizon, though it’s unclear how long iOS and macOS will take to get there.
Oprichter Ethereum: ‘Blockchain maakt einde aan data-exploitatie Facebook en Google’
Een eigen digitale kluis waarmee elk individu complete eigenaarschap heeft van haar of zijn data. Dat is één van de toekomstvisioenen van Joseph Lubin, mede-oprichter van het Ethereum-netwerk en oprichter van ConsenSys, naar eigen zeggen een softwarebedrijf, waaronder tientallen blockchainprojecten hangen zoals uPort en Metamask.
Lubin is te scharen tot de top-10 van meest invloedrijke personen in de blockchain-industrie. Zijn totale vermogen wordt grofweg geschat tussen de 1 en 5 miljard dollar. Het is onbekend of hij zijn – ogenschijnlijk – grote hoeveelheden “ether” deels al verzilverd heeft. Fundamenteler is de visie van Lubin en in dit interview licht hij een aantal belangrijke componenten uit zijn visie eruit: zelfbeschikking over je data en niet overgeleverd zijn aan machtige databoeren zoals Facebook en Google. Lubin: “Bij het internet 3.0 komt er een einde aan het eindeloos exploiteren van onze persoonlijke data”.
Grootste platform
Ook gaat Lubin kort in op de veelbesproken toekomst van Ethereum, waarover hij zegt: “Ethereum is in korte tijd uitgegroeid tot het grootste platform in de blockchainwereld. Bitcoin heeft meer marktwaarde, maar dat is grotendeels gedreven op speculatie. We staan aan de vooravond van fase 2 van het Ethereumproject. Er worden momenteel ingrijpende decentrale protocollagen gebouwd, waarmee bijvoorbeeld veel meer sidechains mogelijk zijn voor honderdduizenden transacties per seconde. Stel dat je een in-game zwaard wilt wisselen in een spel, dan is dat via een sidechain bijvoorbeeld mogelijk.”
Volgens Lubin houdt het bouwen aan nieuwe blockchainlagen nooit op, want uiteindelijk doen we het voor “de mensen”. Hij zegt: “Apple heeft het destijds goed gedaan met de introductie van de iPhone en iPad. Het waren revolutionaire uitvingen, maar ze lieten mensen er gaandeweg aan wennen. Dat geldt voor blockchain, het web 3.0 en 4.0 ook. Het betekent een diepgaande verandering in onze maatschappij, we bouwen nu een nieuwe infrastructuur, maar we zullen ons sterk moeten maken dat mensen dit gaan vertrouwen en gebruiken.”
Data centre and interconnection giant Equinix has introduced a hardware security module (HSM) as-a-service offering, called the SmartKey.
HSMs are used by a growing number of businesses for security purposes, in place of traditional on-premise encryption techniques, which are complex and typically don’t work well when trying to operate across multiple clouds.
Historically, cryptographic processing (encryption) and management of the encryption keys has been a major part of the protection of sensitive data within an on-premise data centre.
However, due to the cost and complexity of the management and deployment of this process, as well as the difficulties faced when moving to the cloud with classical encryption, more businesses have turned to HSMs.
A physical device that typically works as a plug-in card or attaches directly to a server, HSMs are seen as a simple and effective security solution, and, according to the results of the Global Encryption Trends Survey from Ponemon Institute, are used by 48% of enterprise respondents on-prem in support of cloud applications, while 36% of survey respondents ‘lease’ HSMs from a public cloud provider. Security:Critical security vulnerability in millions of Intel processors Equinix: Equinix revenue growth continues, announces further expansion plans
However, in a blog post, Equinix’s global head of security products, Imam Sheikh, wrote: ‘While cloud-based HSMs provide simplicity, these solutions place both the data and encryption keys together in the same place, increasing the risk of them both being breached by hackers or malicious insiders.
‘With the increasing number of complex security threats and the amount of information moving in and out of the cloud, a new security control point must be implemented at the intersection of people, locations, clouds and data.’
This is where Equinix wants its SmartKey to be used. Now in its public beta stage, the technology is based on Intel’s Software Guard Extensions (SGX) and is powered by Fortanix. SGX is designed for application developers looking to protect application code and data. Fortanix worked on the first HSM management cloud service based on this technology, which Equinix is now offering as a service.
The firm will also offer private connectivity options to SmartKey for public and hybrid cloud, including for AWS. Access to the service will be made via private interconnection within an Equinix international business exchange (IBX) data centre, or via the internet.
Allegations that Russian intelligence agents somehow co-opted Kaspersky Lab's anti-virus software, enabling them to search PCs for intelligence, raise questions not just about the security of the Moscow-based security firm's products, but all anti-virus products.
To recap: Israeli intelligence allegedly hacked into Kaspersky Lab's network andfound Russian intelligencewas already monitoring the company's communications with endpoints, as well as running searches for interesting-looking files on customers' PCs. Cue questions about whether Moscow-based Kaspersky Lab knew or abetted those intelligence efforts.
The allegations are a reminder that all anti-virus software is designed to run at a deep level on a PC, which is required to ensure it can excise malicious code. But such capabilities could be misused. Anti-virus software typically also sends copies of suspicious-looking files back to the vendor, so its malware researchers, often working with their peers in other security firms, can study the malware and create signatures. These signatures then get pushed out to all endpoints to better protect them.
All Software Has Flaws
Despite the allegations leveled against Kaspersky Lab, many security experts say that anti-virus software likely has enough exploitable vulnerabilities in it that a security firm would not need to be co-opted (seeYes Virginia, Even Security Software Has Flaws).
And as Dubai-based incident response expert Matt Suiche has noted, any security vendor might be targeted by intelligence agencies seeking easy access to targets' PCs.
When it comes to Kaspersky Lab, we'll probably never know what happened. "I don't think you can ever prove beyond a reasonable doubt that Kaspersky colluded as an organization with any government. It would have been much easier to simply breach Kaspersky, look for reports from the product that might contain material of interest to the intelligence community and then zero in on those machines," says Alan Woodward, a computer science professor at the University of Surrey.
If one takes Kaspersky Lab at its word - that it is innocent - that raises the question of how the company's ability to monitor and communicate with endpoints might be abused. It also raises the question of whether other security firms are similarly at risk - and what they're doing to protect their operations and customers.
What Defenses In Place?
To understand the defenses that anti-virus firms have in place to prevent these types of hack attacks or other misuse, Information Security Media Group reached out to 17 firms that develop anti-virus software for endpoints and posed detailed questions.
So far, seven firms have responded. Avira (Germany), Emsisoft (New Zealand), F-Secure (Finland), Kaspersky Lab (Russia) and Panda (Spain) offered detailed responses to my questions.
Meanwhile, Trend Micro (Japan) declined to field the questions. So did Webroot (United States), with the company saying that doing so would involve "giving away sensitive and competitive information or commenting on competitors in the space." But Chad Bacher, Webroot's senior vice president of product and technology alliances, lauded market competition. "All endpoint security companies utilize different approaches to keep their customers safe, which benefits consumers by bringing a healthy competition to the market."
The Sound of Silence
Since first querying the 17 firms - multiple times if necessary, beginning on Oct. 6, except for Malwarebytes and Sophos, first queried on Oct. 11 - the following firms have not responded to the posed questions:
Avast (Czech Republic)
Bitdefender (Romania)
Bullguard (United Kingdom)
ESET (Slovakia)
Malwarebytes (United States)
McAfee (United States)
Microsoft (United States)
Sophos (United Kingdom)
Symantec (United States)
VIPRE (United States)
6 Anti-Virus Questions
Here are the questions ISMG posed to all 17 anti-virus firms:
What steps do you take to secure suspicious file samples when they are transmitted from a user's PC to your researchers? For example, are all such communications encrypted?
Could outside attackers eavesdrop on those communications, and if so, how? What defenses are in place to prevent this?
Do you ever share copies of these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign?
For a user, is sharing suspicious files with your researchers optional? If so, do users "opt in" - or must they "opt out"?
Do you anonymize the source of suspicious files, and if so, how (and at which point[s] in the submission chain)?
Has your firm engaged in any marketing that suggests that Kaspersky Lab products are not reliable, and does it have any hard evidence - aside from U.S. media reports - that cite anonymous sources) to back up these assertions?
"In view of the weaknesses we have seen in the supply chain in recent months, one might want to pay particular attention to what anti-virus software vendors say about how their back-end systems are protected," Woodward says.
Some firms, includingAviraandF-Secure, note that they publish policies that spell out how they handle threat data and some of the above questions.
But here are the detailed responses received so far.
Avira's Response
Avira says it encrypts all communications between endpoints and its back-end systems, including encrypted file transfer to submit suspicious files for real-time analysis. Company spokeswoman Olivia Ciubotariu says all this analysis is done using "dedicated and secured networks for the analysis" because every file sample is presumed to be malicious, and that users can opt out of this analysis. Avira says it has never shared these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign, and that all user data is anonymized.
"We anonymize all personal information before sending them to our database," Ciubotariu says. "The only purpose of Avira Protection Cloud is to protect our customers against widespread threats, and without violating data privacy."
Emsisoft's Response
Emsisoft says that by default, it does not transfer any suspicious files from a user's system to its cloud-based servers for analysis, but instead only transfers hashes of the file. This process is anonymous and active by default. "Any submissions of hashes are not linked with personal user information at any time, as the systems are separated," says Emsisoft's Holger Keller. "Users can opt out from participating in the Emsisoft Anti-Malware Network, which is our malware information cloud."
Users can, however, manually submit a suspicious file to Emsisoft, which triggers an SSL-only file transfer and creates a service ticket so that the company can respond to the user with its verdict on the file.
"[If] the user's computer is not compromised in the first place - i.e. with manipulated SSL certificate roots - we would consider transfers relatively safe," Keller tells Information Security Media Group. "Emsisoft intentionally does not make use of local SSL traffic interception, which seems to be a major security problem for a number of anti-virus vendors these days," he says (seeLenovo Slammed Over Superfish Adware).
File transfers are not anonymous, because Emsisoft needs to respond to the customer, although Keller says a user could provide fake contact details. "We have never shared any suspected malware files with any law enforcement or intelligence agencies," he adds.
F-Secure's Response
F-Secure says it makes heavy use of encryption and anonymization. "All queries regarding file (hashes) or URL reputation made to our 'security cloud' are encrypted," Sean Sullivan, security adviser at F-Secure, tells ISMG. "Files/samples uploaded/submitted to us by our customers are also encrypted. All customer submissions are flagged as confidential in our sample management system. They are only re-categorized if we can see through our partnerships and threat intelligence that the files are in the wild."
Sullivan says F-Secure does not submit files to VirusTotal, although it does share samples with "trusted partners," but only for samples "which are classified as nonconfidential." Information on a suspect file on a PC, meanwhile, pings the company's cloud security gateway, which will respond if the required information is in its cache. If not, a database handling ID gets dispatched and a back-end query made, thus obscuring the origin of the request.
Sullivan says that in general, one must "opt out" of sharing data with F-Secure, but says this is possible with all products, including itsfree online scanner. He also says the company does not save IP addresses, but discards this information immediately, localizing to the country level, to help analysts trace malware outbreaks and infection counts at a regional level. Before files get submitted, path names get normalized, usernames changed to "username" or the equivalent and file path metadata cleaned.
Some intelligence and analysis does get shared with CERT-FI - the computer emergency response team for Finland - that may disseminate the information to law enforcement agencies Sullivan says. "To my best knowledge, law enforcement agencies share with us, seeking our analysis, not the other way around," Sullivan says. He adds that says any information shared with CERT-FI is anonymized and tends to focus on malware command-and-control information and "analysis of malware targeting specific targets within a country," rather than sample sharing.
Panda's Response
Panda says it makes extensive use of encryption, which should block any attempt to eavesdrop on communications with endpoints. "The information sent is encrypted, and all communications are encrypted (HTTPS)," says Luis Corrons, technical director of PandaLabs, the firm's anti-malware laboratory.
Customers can opt out of sharing malware samples. "It is important to mention that we only send files that are capable of being executed - i.e. we won't send Word, Excel or PDF files," Corrons tells ISMG. "Most of them are PE [portable executable] files and then scripts," including Visual Basic, JavaScript and batch files.
"We only share malware files with other security companies, but that does not include files that have been found at a customer," Corrons says. "We do not have any share agreements with law enforcement or any intelligence agencies."
Kaspersky Lab's Response
A Kaspersky Lab spokeswoman tells ISMG that its Kaspersky Security Network is "an advanced cloud-based system that automatically processes cyber threat-related data received from millions of devices owned by Kaspersky Lab users across the world, who have voluntarily opted to use this system." It says this cloud-based approach is the one typically taken by larger IT security vendors.
"All communications between clients and Kaspersky Lab infrastructure are reliably encrypted," the spokeswoman says. "The company uses strong encryption, including algorithm RSA 2048 handshake and AES 256 data encryption."
The company says it makes extensive use of encryption, digital certificates, segregated storage and strict data access policies. Anonymization is widespread. "Actions to achieve this include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc." The company says it regularly reviews these practices to ensure they comply with legal rules and privacy regulations, such as the EU'sGeneral Data Protection Regulation.
Users can opt out of at least some types of information sharing. "Depending on the product, users have the option to switch it off (for corporate solutions) or to limit the amount of data sent through the security cloud (for home solutions)," Kaspersky Lab says.
From a privacy standpoint, the security firm says that for any collected information:
"The information is used in the form of aggregated statistics;
"Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user;
"When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier;
"Where possible, we obscure IP addresses and device information from the data received;
"The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted."
Kaspersky Lab says it "routinely assists law enforcement agencies and governments by providing technical expertise on malware and cyberattacks," and it may share malware samples gathered by KSN with law enforcement agencies, at their request. "The sharing of samples with law enforcement agencies is dictated by the local laws by which Kaspersky Lab strictly abides," it says. "We don't share user data with any third party; the industrywide exchange is limited to malicious samples and aggregated statistics."
VirusTotal Sharing
All but one of the security firms that offered answers to ISMG's questions say they do not share virus samples with Google's VirusTotal malware-scanning service.
Emsisoft says that "we exchange files and file information with VirusTotal if the source of a file doesn't generally object to that."
Comments: Allegations Against Kaspersky Lab
Avira, Emsisoft and F-Secure declined to comment on the allegations against Kaspersky Lab.
Panda, however, noted that "there is no real proof that Kaspersky Lab has been involved in any malicious activity" and said while Russia might attempt to security firm's product or cloud network, "it is a really unlikely scenario, although if there is some open conflict among both countries it could happen."
Emsisoft's Keller commented in more general terms, noting that "the conceptual problem of submitting files for deeper automated analysis doesn't only affect Kaspersky, but basically all anti-virus vendors." As malware grows more complicated, advanced analysis must typically be carried out on the server side. This can necessitate moving a copy of the file from a client onto a cloud-based server for analysis. "As those clouds are generally closed systems, nobody can tell for sure whether any files are redirected to intelligence services or just kept for statistical analysis as promised," he says.
To help mitigate any threats, Keller says, "sensitive data should be encrypted at all times" when interacting with cloud environments of any kind.
Who to Trust?
To be clear, posing questions to anti-virus firms doesn't mean that their software or back-end servers might not be co-opted now or in the future.
But the willingness of some firms to answer these types of questions may well become a factor for consumers and businesses around the world as they research which anti-virus firms they will trust to secure their systems (seeAnti-Virus: Don't Stop Believing).
This report will be updated as more security firms respond.
Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.