Tom Spears / Ottawa Citizens
To people who want to encrypt data, this is a potential source of randomly-chosen numbers that are used as a “key” to lock and unlock sensitive data — military transmissions, banking transactions, or your email.
The idea is that if no one knows how the key was created in the first place, hackers and code-breakers won’t be able to figure out the secret and decode the messages.
Ron Condon / SearchSecurity
Berners-Lee also outlined the notion of a security friendly Web interface in which users would be able to divide their lives into their different activities – for instance, family, work, public – each of which could be colour coded and assigned a different level of privacy, set by the user. This way, even when filling out a form, the different fields could be given different colours according to their privacy rating. This kind of approach, he said, could create “an explosion of interesting new applications.”
Computer World / Lucian Constantin
Researchers Juraj Somorovsky and Tibor Jager from the Ruhr University of Bochum (RUB) in Germany, devised an attack that decrypts data secured with the DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) in CBC (cipher block chaining) mode. They plan to present their findings in more detail at the ACM Conference on Computer and Communications Security later this year.
According to Jrg Schwenk who teaches of Electrical Engineering and Information Technology at RUB, all data encryption algorithms recommended in the XML Encryption standard are affected by this attack, which relies on sending modified ciphertexts to the server and analyzing the errors for clues.
Peter Svensson / USA Today
The problem with that black magnetic stripe on the back of your credit card is that it’s about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.
The smart cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be replicated.
Mikko / F-Secure
The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.
Ellen Messmer / InfoWorld
Researchers at North Carolina State University claim they’ve achieved a breakthrough in how encryption can be used in technology called non-volatile main memory, which is seen as an eventual replacement for conventional dynamic random-access memory.
—-
In work conducted with graduate students, Solihin says N.C. State researchers completed building a hardware-based method to self- encrypt NVMM data. The idea is it might eventually become integrated into chipsets.
Thomas Claburn / Information Week
Google is fanatically devoted to speed, because Web apps depend on speed to compete with desktop apps and slow response times lead to a poor user experience. So last year, Google’s computer scientists proposed a way to shorten the technical handshake ritual.
Now their proposal, Transport Layer Security (TLS) False Start, has been tested and the results are in: SSL False Start significantly reduces the amount of time required to establish a secure connection.
@The Invisible Things Lab’s blog by Joanna Rutkowska
One doesn’t need to be especially smart or security conscious to realize how much this might be a threat to security and privacy. How much easier would it be to attack somebody’s laptop if I knew precisely in which hotel and when he or she is planning to stay? How much more expensive would my health and life insurance be, if they could get a look at my health and fitness progress? Etc.
But we’re willing to sacrifice our privacy and security in exchange for easy of syncing and sharing of our data. We decide to trust The Cloud. What specifically does that mean?
Earlier this week, Steptoe & Johnson, an International law firm reported that New York was considering criminalizing Encryption.
Nevada and Massachusetts require the use of encryption in certain circumstances. But New York is thinking about taking the opposite approach – making it a crime to use encryption in some situations. A bill (S. 714) introduced in the New York Senate on January 5 would prohibit the “criminal use of encryption.” While the intent appears to be to make it a crime for criminals to use encryption to conceal evidence, the bill’s awkward wording could be read to prohibit the use of encryption – such as by a communications company – that has the effect of concealing the identity of a criminal or evidence of a crime.
The Bill S714 (aka National Criminal Justice Commission Act) was introduced in Senate on March 2009 by Senator Jim Webb (D-VA) and reported by the committee in Jan 2010 but it never became a law. I quickly scanned through the bill (pdf) but couldn’t find any references to “encryption” (or “unencryption”). There is no other information available about this bill being re-introduced.
Though, there are enough evidences to support that this has been discussed multiple times since 2001 -
The technology of scrambling data and messages has become a crucial element of computer security for businesses and consumers alike. Officials of law enforcement and intelligence agencies have long warned lawmakers that they were unable to break the strongest encryption products, and that crimes eventually would be committed that might otherwise have been prevented.
and as Mark Rasch (attorney and technology expert) said in his 2003 post -
The new legislative proposal would be counterproductive. It could stigmatize encryption as a criminal tool. People will grow wary of using crypto, consequently vendors will become wary of building it in to products, and ultimately the nation will become less secure.
….we shouldn’t stop manufacturing locks just because criminals may use them to lock doors.
After Heartland’s breach back in January 2009, Heartland’s CEO has been a strong advocate for industry adoption of end-to-end encryption. End-to-end encryption is still remains a future dream but to assist merchants, PCI Council has issued a “guidance” for encrypting cardholder data and sensitive authentication data during transmission.
According to PCI, “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance” is written for the merchant perspective but is applicable to any payment industry stakeholder, including merchants, payment processors, acquirers, service providers, assessors, and solution vendors.
The purpose of this document is to help payment industry stakeholders in critically evaluating whether point-to-point encryption solutions may simplify PCI DSS compliance for their environment. The scope of this document relates only to transmitted cardholder or sensitive authentication data, and the impact on PCI DSS scope for a P2PE solution that encrypts this transmitted data.
DARPA/FBO’s New RFP on Declassification
Promotion of new technologies to support declassification. Striking the critical balance between openness and secrecy is difficult but a necessary part of our democratic form of government. Striking this balance becomes more difficult as the volume and complexity of the information increases. Improving the capability of departments and agencies to identify still-sensitive information and to make declassified information available to the public are integral parts of the classification system.”
Should we be worried?
When it comes to secure messaging, nothing beats quantum cryptography, a method that offers perfect security. Messages sent in this way can never be cracked by an eavesdropper, no matter how powerful.
At least, that’s the theory. Today, Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially-available system.
