Cloud Hosting

The UKs Online Safety Bill

A heated debate surrounds a crucial aspect of the UKs Online Safety Bill (The Bill): whether the pursuit of greater protections against child sexual abuse material (CSAM) justifies compromising individual privacy in relation to private messages. While the aim to combat CSAM is undoubtedly important, critics argue that the bills provision to scan end-to-end encrypted messages undermines the privacy rights of users.

What is End-to-End Encryption?

End-to-end encryption is a security method that offers users a greater level of privacy and security while exchanging private messages. This encryption technique ensures that only authorized recipients can access and decode the messages shared, protecting the content of the messages from any unauthorized access by third parties, including service providers (Like Google and WhatsApp) and governmental entities. By encrypting data on the senders device and decrypting it on the receivers device, end-to-end encryption prevents messages from being intercepted as well as eliminating the vulnerabilities associated with storing confidential information on servers. This technology allows users to communicate confidently, knowing that their conversations, personal details, and digital interactions remain shielded from prying eyes. With the implementation of end-to-end encryption, messaging applications such as Signal and WhatsApp have upheld the fundamental right to privacy of users within the digital landscape.

Why is The Online Safety Bill So Contentious?

Proponents of stricter measures argue that the prevalence of CSAM necessitates proactive action by tech companies and regulatory authorities. They contend that scanning encrypted messages can help identify and remove illegal content, potentially saving victims from further harm. However, opponents in tech raise concerns about the potential erosion of privacy and the broader implications The Bill will have for digital rights. In an open letter, opponents of The Bill argued that Proponents say they appreciate the importance of encryption and privacy while also claiming that its possible to surveil everyones messages without undermining end-to-end encryption. The truth is that this is not possible the letter reads.

Apple, Signal and WhatsApps Argument

In a recent statement to the media Apple has joined the chorus of voices against The Bill saying that End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats,. Other prominent end-to-end encrypted messaging apps, including Signal and WhatsApp, have also taken a firm stance against the Online Safety Bill. WhatsApps head, Will Cathcart, stated that the platform would refuse to comply with any legal requirement to undermine its encryption. Similarly, Signal President, Meredith Whittaker warned that the secure messaging platform would rather quit the UK than compromise the security and privacy of its users.

The Online Safety Bill also carries legal implications for non-compliant companies. Failure to adhere to the bills requirements could result in substantial fines, and senior executives may face imprisonment under the expanded criminal liability provisions. The inclusion of clauses that allow Ofcom to compel communications providers to take action to prevent harm to users has also received criticism from tech companies.

Conclusion

The encryption-busting Online Safety Bill has provoked a fierce backlash within the tech industry, as concerns grow over the potential loss of secure messaging apps from the UK. Tech giants like Apple have expressed their reservations, emphasizing the critical role of end-to-end encryption in protecting user privacy. With the bills passage into law anticipated this summer, the debate surrounding privacy, security, and the balance between law enforcement and individual rights continues to intensify.

Taylor Hampton Solicitors is an award-winning London based law firmrecognised as a leader in defamation, privacy, phone hacking and internet litigation.Whilst distinguished for our work in media and internet law, our practice also focuses on UK immigration and visa services and Australian migration.

Please visit our website athttps://taylorhampton.co.ukand contact us at[emailprotected]or 00444275970 for further information on our professional services.We offer a preliminary consultation without obligation.

Visit link:
Privacy and Legal Concerns Surrounding the UK's Online Safety Bill - Lexology

In an Orwellian era marked by ever-increasing digital surveillance, many law-abiding citizens are increasingly concerned about their privacy. The revelations by whistleblowers Edward Snowden and William Binney shed light on pervasive government surveillance and corporate surveillance by the tech giants may be even more widespread.

As a response to these abuses, the development and adoption of encrypted apps has gained momentum, providing individuals with a layer of privacy and security. In this article, well cover just a few of your best options to protect your online privacy.

Signal, endorsed by privacy advocates and experts worldwide, has emerged as the gold standard for secure messaging. This open-source app encrypts your conversations end-to-end, ensuring that only the intended recipient can decipher the messages. Signal also boasts features like self-destructing messages, verification codes, and secure voice and video calls. Its simplicity, robust encryption protocols, and wide adoption make it an ideal choice for safeguarding your private conversations.

When it comes to securing your email communications, ProtonMail stands out as a reliable option. Offering end-to-end encryption, ProtonMail ensures that your messages remain inaccessible to unauthorized entities. The app enables you to send encrypted messages to non-ProtonMail users, further expanding its reach. ProtonMails emphasis on privacy, coupled with user-friendly features, makes it a popular choice for those seeking to shield their email communications from prying eyes.

For users concerned about their online activities being tracked and monitored, the Tor browser provides a valuable solution. By routing your internet traffic through a network of encrypted relays, Tor conceals your identity and location, effectively shielding you from prying eyes. Whether youre accessing sensitive information, evading censorship, or simply desiring online anonymity, the Tor browser offers a powerful tool to protect your privacy during web browsing.

A Virtual Private Network (VPN) is a crucial tool for protecting your online activities from surveillance. NordVPN, a widely recognized and trusted VPN service, encrypts your internet traffic and routes it through remote servers, shielding your data from prying eyes. With an extensive network of servers worldwide, NordVPN offers robust security and privacy features, allowing you to browse the web, access geo-restricted content, and engage online without compromising your privacy.

ProtonVPN, developed by the same team behind ProtonMail, combines security, privacy, and user-friendliness. With a focus on strong encryption, a strict no-logs policy, and support for advanced security protocols, ProtonVPN ensures that your internet traffic remains shielded from surveillance. Its intuitive interface and various subscription plans cater to both casual users and privacy enthusiasts, making it a top choice for those seeking a VPN service with ease of use.

In an age where violations of privacy by governments and corporations have become pervasive, encrypted apps provide a formidable line of defense.. By harnessing the power of these tools, you can regain control over your digital persona. If you are among those who still value their privacy, even in the digital age, you must stay vigilant by adopting privacy-focused technologies, and reclaim your rights.

Read more from the original source:
Safeguarding Your Privacy With Encrypted Apps to Thwart ... - Innovation & Tech Today

On July 5, Cisco released a security advisory warning users of a vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode.

The networking and cybersecurity solutions company has no plans to release software updates to address the vulnerability, and there are no workarounds. IT teams are now faced with responding to a patchless vulnerability.

The vulnerability (CVE-2023-20185) impacts Cisco Nexus 9000 Series Fabric Switches in Application Center Infrastructure (ACI) mode that run releases 14.0 and later, specifically if the data switching gear is a part of Multi-Site topology and uses the CloudSec encryption feature, according to the security advisory.

The high-severity vulnerability could allow sensitive user and company data to be read, modified, or exploited by bad actors that are intercepting encrypted traffic and/or using cryptanalytic techniques to break the encryption, George Gerchow, CSO and SVP of IT at SaaS analytics platform Sumo Logic, tells InformationWeek. He is also on the faculty with the cybersecurity research firm Institute for Applied Network Security (IANS).

Successful exploitation of this vulnerability could have wide-ranging consequences. In addition to manipulation of traffic between ACI sites, bad actors could leverage the vulnerability to lead to broader security breaches. If attackers gain unauthorized access to the network through this vulnerability, it could potentially open pathways for further exploitation or lateral movement within the network, explains Callie Guenther, senior managerof cyber threat research at managed detection and cybersecurity companyCritical Start.

Thus far, Ciscos Product Security Incident Response Team (PSIRT) has not found any indication that the vulnerability has been exploited, according to the security advisory and an emailed statement.

The company recommends that customers using its ACI Multi-Site CloudSec encryption feature on certain Nexus Series Switches and Line Cards immediately disable the feature. The security advisory includes directions on how to determine the status of the CloudSec feature. The company recommends users reach out to their Cisco support organization to talk about alternatives.

The lack of patch and workaround for the vulnerability is not typical, and it likely indicates a complex issue, according to Guenther. It signifies that the vulnerability may be deeply rooted in the design or implementation of the affected feature, she says.

With no workarounds or forthcoming patch, what can IT teams do in response to this vulnerability?

Before taking a specific action, IT teams need to consider whether this vulnerability impacts their organization. I have seen companies go into a panic, only to find out that a particular issue didnt really affect them, says Alan Brill, senior managing director in theKrollCyber Risk Practice and fellow of the Kroll Institute, a risk and financial advisory solutions company.

When determining potential impact, it is important for IT teams to take a broad view. The vulnerability may not directly impact an organization, but what about its supply chain? Third-party risk is an important consideration.

If an IT team determines that the vulnerability does impact their organization, what is the risk level? How likely is threat actor exploitation?

In some cases, the risk may be small enough that it does not require a response. Document your decision and thinking to demonstrate that an analysis was done and to show that a decision not to respond to the particular problem was a reasonable one, Brill recommends.

In other cases, Cisco customers will need to act. This may mean disabling the function and considering alternatives, but these responses are not without complications.

The feature in question could be critical to an organizations network infrastructure function. Disabling it could mean operational disruptions and limited network functionality.

Once the feature is disabled, IT teams may need to find alternate configurations to address the loss of functionality. This might involve reconfiguring network paths, adjusting security policies, or implementing alternate encryption mechanisms, says Guenther. Such reconfigurations can be complex and time-consuming, especially in large-scale environments with intricate network architectures.

Disabling the feature and introducing an alternative configuration will require impact assessment and testing. How will disabling the feature impact network performance and security? Will an alternative introduce new potential risks?

Disabling the CloudSec encryption provides potential access in clear text to organizational data, a risk that malicious actors are now aware of and may seek to exploit, says Gerchow.

While a patchless vulnerability may stand out, it is likely that it will happen again. Given the complexity of the software -- and the embedded code can be the source of problems for a lot of packages -- I think its really a matter of when it happens again, not if it will ever happen again, says Brill.

Gerchow argues that IT leaders should push for a move to SaaS and public cloud solutions. The lack of a patch or workaround from Cisco leaves customers in a vulnerable position, whereas SaaS and public cloud providers bear the responsibility for maintaining the security of the infrastructure, he says.

IT teams will inevitably need to address other software vulnerabilities, whether they can be patched or not, in the future. Strengthening an organizations security posture, understanding risk, communicating with vendors, and having a strong incident response plan in place can help them prepare for the next one.

Having a plan, having managements backing, and understanding and carrying through on the plan is the best solution when faced with this kind of problem, says Brill.

Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4

Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

Cisco CIO Fletcher Previn on the Hybrid Workplace & Exploring AI

The rest is here:
What Does the Patchless Cisco Vulnerability Mean for IT Teams ... - InformationWeek

Over-the-top (OTT) communication services like Whatsapp, Signal or Telegram could be "over regulated" with the threat of encryption being compromised, said technology policy experts after the Telecom Regulatory Authority of India (Trai) proposed to regulate such services in its consultation paper released last week.OTT services are currently regulated under the IT Act, which will soon be replaced by the proposed Digital India Bill.Experts said currently the government is required to give a notice under Section 69(a) of the IT Act to track calls and if OTT services are regulated by Trai, it will make it much easier for the government to intercept calls.The firms may also have to do away with end-to-end encryption, which will be a risk to user privacy and threaten operations of firms like Whatsapp in India, experts said.OTTs are currently regulated under the IT Act and adding another regulator in the mix is likely to complicate issues. India will probably have to consider a collaborative digital regulation framework like the one that the UK has set up, said Rohit Kumar, founding partner of public policy research firm The Quantum Hub.

Last Friday, Trai had issued a consultation paper on the regulatory mechanism for OTT communication services as well as their selective banning on national security grounds.

Nikhil Narendran, partner at the TMT practice of law firm Trilegal, said, "Once a licensing regime is brought in, for OTT services, the whole architecture of these services may require change".

Telecom carriers have called the regulators discussion paper on regulating OTT players such as WhatsApp, Telegram and Signal, and on selective banning of apps during instances of civil unrest a progressive step and a backing of their concerns, ET reported last week.

Amrita Choudhury, president, Cyber Caf Association of India, said, licensing OTTs will not address telco issues and that there are other viable options to support the challenges faced by the telecom industry such as rationalising spectrum charges, etc.

Further, Section 69 of the IT Act already prescribes powers for monitoring and decryption of information, he said. Procedural and Safeguards for Interception and Decryption Rules, 2009 formulated under this provision, at least have some procedural safeguards for such orders, he explained.

Indicating a compromise of end-to-end encryption like national security, public order etc. may not satisfy the proportionality and necessity test stated by the Supreme Court in the first Puttaswamy judgement, he said. Given these reasons, it is important that OTT communication services are kept outside the jurisdiction of DoT and Trai, Rizvi said.

Waghre explained that the current approach seeks to resurrect a 'licence raj' and compromise citizen's ability to communicate privately instead of being progressive and protecting the rights of individuals in India.

Such an approach also fundamentally misunderstands one of the core tenets of communications securitythat you cannot have selective compromises. Once a system that intentionally introduces a vulnerability in end-to-end encryption/private communications is created, it can be exploited by anyone, he pointed out.

Read the original here:
Trais proposal to regulate OTT concerning, may threaten privacy, end encryption: Experts - The Economic Times

Hacking group CL0Ps attacks on MOVEit point to ways that cyber extortion may be evolving, illuminating possible trends in who perpetrators target, when they time their attacks and how they put pressure on victims.

Malicious actors that successfully target software supply chains can maximize their reach, impacting the initial victims as well as their clients and clients clients. And Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future, noted that cyber extortion groups like CL0P have the money to buy zero-day vulnerabilities to compromise commonly used platforms.

Plus, perpetrators increasingly use threats to publish stolen data more so than file encryption to put pressure on victims and are exploring new ways of denying victims access to their data.

And other extortionists are likely watching the MOVEit incident play out and drawing their own takeaways.

With a lot of these, the first big attack, it gets the headlines, but these ransomware groups are learning at the same time, Hofmann said. They're seeing what worked well, what didn't, what tactics worked, and they're learning from each other. So, the next go-around is going to be different.

Groups like CL0P also appear to be putting attention on targeting widely used platforms and exploiting zero-day vulnerabilities.

The MOVEit compromise was CL0Ps third known attack on a file transfer service, each one netting more victims. Its 2020 Accellion exploit stole data from roughly 100 companies, while the hackers said their early 2023 attack on GoAnywhere impacted about 130 organizations, per Bleeping Computer. By early July, more than 200 organizations were believed to be affected by the MOVEit hacks, with data breaches affecting more than 17.5 million people, Emsisoft threat analyst Brett Callow told TechCrunch. Of course, hitting victims and getting money out of them are two separate matters.

Cyber criminals can buy zero-day vulnerabilities, said Liska. Paying six figures for zero days in top-name software like Microsoft Exchange may be too spendy for most, but many ransomware groups do have the money to shell out up to five figures to buy zero days in lower-profile, widely used platforms like MOVEit, he said.

You're not spending more than $100,000 and that. And as far as we can tell, CL0Ps made 100 times that at least from this particular attack, Liska said. So, in theory, if they reinvested all of that money, they could buy 100 more of these zero days to these types of platforms or more and still have money leftover to vacation in Sochi.

Still, organizations shouldnt forget about more traditional attack methods, Hofmann said. Roughly 90 percent of cyber extortionists still wage their attacks by taking advantage of unpatched Internet-facing systems, remote desktop protocol (RDP) connections where multifactor authentication (MFA) has yet to be implemented, or phishing and stolen credentials.

MOVEIt software creator Progress announced that the initially exploited vulnerability as well as one discovered a few weeks later took advantage of SQL injection vulnerabilities in the tool.

These are among the oldest forms of vulnerability and are the result of poor coding practices that are preventable, reported Ars Technica.

Federal efforts are underway to push software developers to design offerings with security baked in, thus improving overall safety of the software landscape.

Thats a good way to go, because a lot of these platforms that are heavily relied on are rickety, because they're not looked at they've been traditionally ignored by bad guys, and that picture is changing, Liska said.

Realizing that a secure-by-design vision could take decades, in the meantime, organizations should use a defense-in-depth approach to better protect themselves, Liska said.

In ransomwares early days, perpetrators encrypted files and demanded payment. But other methods may be gaining more popularity. A recent report found attackers increasingly pressuring victims by stealing their data and threatening to publish it, sometimes but not always pairing this with file encryption.

Organizations with sophisticated backup strategies may not need their files back, making traditional encryption-only extortion ineffective, said Lisa Forte, partner at cybersecurity training and consulting provider Red Goat Cyber Security. Plus encrypting and decrypting are tricky: Often the malware would be so aggressive that it would corrupt files, so even if the victim paid and they got the decryption key, the file would be corrupted. So, it was quite difficult to make a business case for companies to pay the ransom, Forte said. But threats to publish sensitive stolen data add new pressure.

And even when victims lack good backups making encryption attacks particularly painful some extortionists may still prefer the speed and efficiency of data theft-only attacks, Hofmann said.

Forte noted that while CL0P totally avoided encryption in its attack on MOVEit, many other threat actors have kept it in play. Even extortionists that, too, primarily use data theft as leverage against their victims often still lock up some parts of a victims network, as an opening salvo. The drama of a sudden file encryption and a ransomware splash screen appearing can grab victims attention.

One minute you think youre fine, and then next minute everything is locked, and youve got splash screens on every device, Forte said. That really brings the attention of the board. But definitely the main negotiating chip is the data thats stolen.

Liska has also seen some attackers adopt a new method of denying victims access to their files, creating a dramatic disruption while avoiding the technical complications and hassles of encryption. In these attacks, perpetrators exfiltrate their targets data then secure delete those files. Such a move rewrites the erased files with meaningless data, to prevent victims from being able to recover them. Extortionists can then demand ransom in exchange for sending victims back a copy of that exfiltrated data.

When we talk about taking the data and then secure deleting it, in effect you are actually stealing it at that point, because the data is no longer sitting on their [hard drives] unless it can be restored from backups. That's where I think this is going to go I think we'll see more of that, Liska said.

Of course, as Liska noted, victims might restore data from backups. But extortionists could still threaten to publish it.

In the MOVEit compromise, not even CL0P seemed prepared for how much data it managed to steal.

The hackers appeared to hurry to exploit as many systems as possible with the zero day before a patch could be issued. That meant they were scooping up data without necessarily knowing who it came from. Since then, the hackers have been working to sort through their stores of data, Liska said.

Notably and unusually rather than contact its victims with extortion demands, CL0P instead posted a message on its dark website telling victims to contact it.

They basically said, Hey, if you were one of the victims, email us, Liska said. They didn't even have a good accounting of who all they hit.

Organizations should take the threat seriously but shouldnt rush to comply, Hofmann said. Past incidents have seen some threat actors only discover who theyd hit when the victims got in touch, and victims that begin negotiations without a clear plan in place risk making the situation worse for themselves. They draw threat actors attention and might make mistakes, such as inadvertently revealing how badly attacks have affected them, thus handing leverage to the extortionists. In general, victims should never reveal anything that isnt already public knowledge, he said.

And victims should be wary of believing threat actors claims: Sometimes extortionists mistakenly think theyve impacted an organization, when theyve really hit another with a similar-looking website or one of the organizations subsidiaries, Hofmann said. CL0P may have made such mistakes, with ZDNET reporting in 2022 that CL0P tried to extort Thames Water, when it appeared to have actually hit South Staffordshire Water.

All this underscores the need for organizations including C-suite executives to participate in practicing and planning incident response and negotiations, to be ready should an extortion attack hit. For example, entities need to pin down details like, how much to tell the public; at what point they might engage with the extortionists and who will do that; as well as who will decide whether to pay and how that transaction will be made.

Despite the messiness of the attack, Liska believes CL0P has been improving its extortion tactics. Tracking of publicly known wallets suggests that the GoAnywhere hack didnt produce a lot of profit, but this time around, CL0P seems to have better determined how to monetize, he said.

CL0P has been gradually revealing its victims. This may in part indicate that its still working to sort through the stolen data, but also can be strategic, Liska said. Each new victim announcement returns public attention to the incident, keeping it in the news for months rather than weeks which may put more pressure on victims. Still, Hofmann said that, unlike for some past incidents, media reporting on MOVEit hasnt been critical of the impacted organizations: The optics of it, from a public perspective, are a little bit different, because many entities were affected via a trusted third-party vendor who was brought in specifically for protecting sensitive data.

Forte said CL0P appeared to struggle at first to determine which entities to extort in the affected software supply chain. Theyd compromised a file transfer tool created by Progress, and doing so let them obtain data handled by U.K. payroll solutions provider Zellis, for example. That data included payroll information on Zellis own clients, such as the BBC and British Airways.

There was a lot of confusion in the early days as to whether they were asking the actual end victims i.e., the BBC, British Airways, etc. or whether they were asking Zellis, or whether they were asking the company behind the MOVEit software, Forte said. The problem they had was that they didn't realize the complexity of the supply chain that they were hitting.

When choosing which impacted entities to threaten, cyber extortionists are often playing for media attention, Liska said. They typically threaten publish data from whichever impacted entities within the supply chain have the biggest name recognition. Threatening widely recognized end users will get more publicity, even if it technically was another entity's software that was compromised.

It doesnt matter whether or not they actually hit Ernst & Young or PwC. What matters is there's EY and PwC data that they got there, Liska said. You have to write about that as a journalist, because they are such big companies and they [cyber extortionists] know that.

CL0P said it would delete any data it had stolen from government, per TechCrunch. Opinions vary over whether organizations can believe these kinds of claims.

On the one hand, cyber criminals have a brand to protect, and some ransomware groups have followed through on promises to help restore data stolen from hospitals, for example, Forte said.

Victims have little motive to pay criminals who are known to go back on their word: The ransomware groups in general tend to be quite honorable to their word. They need to do that because they have to maintain a good brand image to get insurers, etc., to pay them when they hit other companies.

Plus, ransomware actors may hope that deleting data from entities like governments and hospitals could make them less of a priority for federal law enforcement. They also may hope it helps their image so they dont look quite so evil, she said.

Liska, meanwhile, said cyber criminals often give lip service to deleting the data in hopes of easing authorities attention on them, but he expects CL0P to still share or sell the government data.

You should never assume a ransomware actor is actually going to delete stolen data they will claim it up and down [but] once that data is stolen, that is out there and you have to assume that its going to be out there forever, Liska said.

One possible buyer? The Russian government. There appears to be some evidence suggesting a level of coordination between some cyber crime groups and the Russian government, which could enable gangs like CL0P to make such a sale, Liska said. But he cautioned against overstating this relationship, emphasizing the unavailability of evidence to indicate the Russian government is controlling the cyber criminals.

View original post here:
Cyber Extortion Trends: Lessons from CL0P and MOVEit - Government Technology