Cloud Hosting

SSL/TLS Encryption: How Its Changing the Landscape of Online Security

In todays digital age, the importance of online security cannot be overstated. As more and more sensitive information is stored and transmitted online, the need for robust security measures to protect this data has become paramount. One of the most effective ways to secure online communications is through the use of SSL/TLS encryption. This technology has been instrumental in changing the landscape of online security, providing a reliable and secure means of ensuring the privacy and integrity of data transmitted over the internet.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide secure communication over a computer network. They work by encrypting the data that is transmitted between a client (such as a web browser) and a server (such as a website), ensuring that any information exchanged between the two parties remains private and secure. This is particularly important when dealing with sensitive information such as financial transactions, personal data, and login credentials.

One of the most significant ways in which SSL/TLS encryption has changed the landscape of online security is by providing a universally recognized standard for secure communication. Websites that utilize SSL/TLS encryption are easily identifiable by the presence of a padlock icon in the address bar of the browser, as well as the use of https:// in the URL. This visual cue provides users with a clear indication that their connection to the website is secure, and that any data they transmit will be protected.

Furthermore, SSL/TLS encryption has become a requirement for many online services and platforms. For example, major search engines such as Google now prioritize websites that utilize SSL/TLS encryption in their search results, effectively incentivizing website owners to adopt this technology. Additionally, popular web browsers such as Chrome and Firefox have begun to flag websites that do not utilize SSL/TLS encryption as not secure, further emphasizing the importance of adopting this technology to maintain user trust and confidence.

Another significant impact of SSL/TLS encryption on the landscape of online security is the increased adoption of HTTPS (Hypertext Transfer Protocol Secure) as the default protocol for web communication. HTTPS is essentially an extension of the standard HTTP protocol, with the added layer of SSL/TLS encryption to ensure secure communication. This shift towards HTTPS as the default protocol has led to a more secure web browsing experience for users, as well as a reduction in the risk of cyberattacks such as man-in-the-middle attacks and eavesdropping.

Moreover, SSL/TLS encryption has also played a crucial role in the growth of e-commerce and online banking. The ability to securely transmit sensitive information such as credit card numbers and bank account details has been a key factor in the widespread adoption of online shopping and banking services. Consumers can now confidently conduct financial transactions online, knowing that their data is protected by robust encryption technology.

In conclusion, SSL/TLS encryption has had a profound impact on the landscape of online security. By providing a universally recognized standard for secure communication, incentivizing website owners to adopt this technology, and facilitating the growth of e-commerce and online banking, SSL/TLS encryption has become an indispensable tool in the ongoing battle to protect sensitive information and maintain user trust in the digital age. As cyber threats continue to evolve and become more sophisticated, the importance of robust encryption technologies such as SSL/TLS will only continue to grow, ensuring that the internet remains a safe and secure environment for users around the world.

Read the original:
SSL/TLS Encryption: How It's Changing the Landscape of Online ... - CityLife

The actual number of chat messages sent each day is hard to come by, but with WhatsApp alone accounting for billions of users, you can imagine the sheer volume of ongoing conversations.

Not all of those messages involve anything particularly sensitive or private, but a lot of them doand you dont want those chats to be seen by anyone other than the intended recipients.

Good messaging hygiene might involve changing apps or tweaking a setting, but its important that you dont neglect it. These five recommendations can get you started.

Switch to End-to-End Encryption

When instant messenger chats are end-to-end encrypted, theyre essentially turned into impenetrable blocks of data. Only the devices of the person (or people) youre chatting with have the codes to unlock that data, which ensures no one else can read your messages while theyre in transit.

Not even the developers behind the software youre using can unlock that data, so if an unscrupulous employee wanted to take a peek at your chats, they wouldnt be able to. If law enforcement requested copies of the conversations, there wouldnt be anything useful to hand over to them.

Some instant messengers use end-to-end encryption, but not all of them do. End-to-end encryption is deployed by default for Signal, WhatsApp (for personal chats,) iMessage, and Google Messages (with RCS enabled.) Its also available as an option on Facebook Messenger and Telegram. If youre using anything else, check the providers policies and consider switching to something more secure.

Facebook Messenger lets you set messages to disappear.

Turn On Disappearing Messages

We mentioned that Facebook Messenger has the option of end-to-end encryption: To enable it, you need to make a conversation secret by tapping the info (i) button at the top of a chat in the mobile app, then choosing Go to secret conversation.

Once youre in that secret conversation, another feature becomes available: Disappearing messages. Tap the info button again and pick Disappearing messages, then choose how long messages should stick around after being read. This way of tidying up after yourself protects you against someone reading through your chats if they gain access to them or physical access to your device.

Facebook Messenger isnt the only app that offers this functionality: You can also find disappearing messages in WhatsApp, Signal, and Telegram, among others. On iPhones, you can delete older conversations in the Messages app after choosing Messages and Keep Messages from Settings.

Lock Individual Conversations

To avoid an unwelcome visitor gaining access to your phone and all of your chats, one of the best things you can do is lock some or all of those chats behind a passcode or other locklike the protection on your phones lock screen.

WhatsApp makes this simple. You can lock the entire app via the Privacy menu in the app settings, or you can lock individual chats: Open the chat, tap the conversation name at the top of the screen, and then pick Chat lock. The options here will depend on the options on your phone (such as fingerprint lock and face recognition).

See more here:
5 Ways to Make Your Instant Messaging More Secure - WIRED

A ransomware gang known as Cl0p has found and exploited vulnerabilities in several file-transfer tools, including Fortras GoAnywhere, Accellions file transfer appliance (FTA), and Progress Softwares MOVEit. Though known as a ransomware group, they seem to be skipping the part where they encrypt the victims data and are simply extorting based on releasing the sensitive data to the public. Cl0p has claimed to compromise over 130 organizations, including governments, universities, healthcare, airlines, media, and financial institutions1. This list could be even worse, given many of the breached organizations are vendors. For example, one primary victim using MOVEit was Zellis, a human resources software maker, whose breach included payroll data for British Airways2. Another example is Guidehouse, which uses Accellions FTA and is a vendor for Morgan Stanley, the investment banking firm. Morgan Stanley has confirmed that documents with customers personally identifiable information (PII) were stolen3 due to a breach related to Guidehouse.

Security Measures Bypassed

One thing that stands out in these attacks is how several traditional security measures had to fail for the data to be stolen.

1) Unnecessary exposure to the Internet

Though the vulnerabilities of the three file-transfer vendors vary in the details, they are all remote execution bugs that should have been mitigated by avoiding exposure to the internet. However, researchers were able to use Shodan (a free internet search tool that can find publicly exposed databases and servers) to find thousands of MOVEit2 and GoAnywhere4 servers that were exposed to the internet. There is a constant stream of news about compromised servers, databases, and object stores (like AWS S3 buckets) that victims had assumed did not have internet access. While numerous security posture management tools are coming to the market to identify vulnerabilities such as this, they dont fix or address the vulnerability (its the companys responsibility to do that).

2) Keep all software fully patched

Another common security measure is to keep all software fully patched. This is absolutely required, however, when vulnerabilities are newly discovered (known as zero-day vulnerabilities) there is often no patch available. In the cases of MOVEit (CVE-2023-34362) and GoAnywhere (CVE-2023-0669) the first number of the CVE is 2023, meaning they were just reported in 2023. The Cl0p gang discovered the vulnerability and exploited it before the vendors could create a patch. The same cant be said for the Accellion vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) that have been known since at least 2021 and CISA even listed them in the Top Routinely Exploited Vulnerabilities of 20215.

3) Stop using unsupported software

Accellion FTA brings up another missed security measure and that is to not use unsupported software. Accellion FTA is a 20-year old product that went end-of-life April 30, 2021 and replaced by modern and more secure platform, Kiteworks6.

4) Key management, where and how the data is encrypted

In the Morgan Stanley case mentioned above, the stolen data was encrypted, but the decryption keys were stolen as well. It is important to ensure the encrypted data is kept separate from the keys.

5) Protect data when its accessed (data in use), as well as data at rest and data in motion

Finally, all of these file-transfer tools encrypt the data in-motion (as it is being transferred) using TLS/SSL or SFTP protocols. However, the data is not being stolen while it is moving over the internet, rather the tools themselves are used to pull data from the source, where it is usually not encrypted. Even if the data is encrypted in a database or object store using transparent data encryption (TDE) or full disk encryption (FDE), this only protects against the hard drives being physically stolen and doesnt help with remote attacks.

Baffles Solution

Baffle Data Protection Services for Object Stores provides the ability to encrypt files from any S3, Azure blob storage, SFTP or HTTPS source to any other destination using the same protocols. Entire files, elements of files (CSV, JSON, XML), or regex matches of text files can be encrypted using traditional AES encryption or format preserving encryption. Every tenant (user or service account) may be assigned their own keys for further data isolation.

Figure 1. Baffle for Encryption of data-at-rest/ingestion

Another instance of Baffle is deployed at the receiving end of the file transfers to protect the data to the point of use (figure 2). To keep the encryption keys separated from the data, Baffle implements envelope encryption and therefore never has access to the key encryption keys (KEK). The KEKs in-turn are kept by a customer-managed key management service (KMS) and ultimately on a hardware security module (HSM) to protect from physical and remote attacks. Role-based access controls for each Baffle instance ensure decryption according to each users need to know. By encrypting the data from end-to-end, (data-at-rest, through the pipeline, and to the final user), the sensitive information is protected even if the database or file transfer tool is compromised.

Figure 2. Baffle for Encryption until the data is used

Conclusion

Defense-in-depth is a concept that has been around for a long time, but this incident is a reminder that it is still relevant today. While all the other security measures are important, if end-to-end encryption is implemented and the hackers still manage to get the files, they are worthless. From PCI-DSS to GDPR, strong encryption and key management is recognized by all the major security and privacy standards for protecting data even when the ciphertext is accessed. This is the value of data-centric protection and it virtually eliminates the impact of data breaches.

Learn More

To see a demo of data masking and discuss your data protection concerns, please schedule meeting with Baffle.

References:

1New victims come forward after mass-ransomware attack | TechCrunch2Microsoft says Cl0p ransomware gang is behind MOVEit mass-hacks, as first victims come forward | TechCrunch3The Accellion data breach continues to get messier | TechCrunch4The GoAnywhere data breach explained | ITPro5Top Routinely Exploited Vulnerabilities | CISA

The post A look into the file-transfer attack (and how to protect your data) appeared first on Baffle.

*** This is a Security Bloggers Network syndicated blog from Baffle authored by Billy VanCannon, Director of Product Management. Read the original post at: https://baffle.io/blog/a-look-into-the-file-transfer-attack-and-how-to-protect-your-data/

Go here to see the original:
A look into the file-transfer attack (and how to protect your data) - Security Boulevard

From Silverman v. Ariz. Health Care Cost Containment Sys., decided Thursday by the Arizona Court of Appeals (in an opinion by Chief Judge Kent E. Cattani, joined by Judge Cynthia J. Bailey and Vice Chief Judge David B. Gass):

This public records case presents a narrow issue of potentially broad import. Arizona law does not require a public entity to create any new record in response to a public records request. But does using encryption to redact non-disclosable information stored in an electronic database necessarily constitute creation of a new record? We hold that it does not.

This concept is particularly important in a case like this one, in which the public entity uses non-disclosable data as a critical part of its database structure (as the relational keys linking different tables). Thus, requiring the agency to use a one-way cryptographic hash function to redact the non-disclosable datasubstituting a unique hashed value that masks protected information without destroying its function in the databaseis necessary to ensure a requestor receives, to the extent possible, a copy of the real record.

And because such encryption only hides a limited aspect of the recordwithout adding to, aggregating, analyzing, or changing any of the underlying informationit does not create anything new and does not result in the creation of a new record. Accordingly, and for reasons that follow, we reverse the superior court's dismissal of the journalists' public records lawsuit at issue here and remand for further proceedings consistent with this opinion.

The Arizona Health Care Cost Containment System("AHCCCS") oversees the Arizona Long-Term Care System("ALTCS"). Appellants Amy Silverman, Alex Devoid, and TNI Partners (d/b/a Arizona Daily Star) are journalists researching issues related to services for Arizonans with developmental disabilities, including those services provided by ALTCS. Appellants are seeking public records from AHCCCS to learn what factors affect eligibility decisions during the ALTCS application and screening process.

In February 2020, Appellants submitted a public records request for data in AHCCCS's databases for multiple categories of information provided in or related to ALTCS applications. Appellants acknowledged that healthcare-related information would have to be de-identified to comply with privacy rules under the Health Insurance Portability and Accountability Act ("HIPAA"). Noting that the requested data might be contained in multiple tables, Appellants requested that, for de-identified data, AHCCCS "include a unique identifier, such as a hash key, to replace" information necessary to distinguish different individuals' records. Appellants' request expressly did not ask AHCCCS to "join tables together or to conduct any type of analysis on the data," provided any existing relational keys remained intact.

Appellants eventually sued under the Arizona public records act, and here's how the court of appeals analyzed this:

Under Arizona law, "[p]ublic records and other matters in the custody of any officer shall be open to inspection by any person at all times during office hours." This statutory mandate reflects Arizona's strong presumption in favor of open government and disclosure of public documents. Public policy favors subjecting agency action "to the light of public scrutiny" and ensuring that citizens are "informed about what their government is up to."

A requestor is generally entitled to review a copy of the "real record," even one maintained in an electronic format, subject to redactions necessary to protect against risks to privacy, confidentiality, or the best interests of the state. Thus, upon request, a public entity must search its electronic databases to identify and produce responsive records. But the entity need not tally, compile, analyze, or otherwise provide information about the information contained in existing public records, which would in effect create a new record in response to the request. Nor is the entity required to compile the data in a form more useful to a requestor.

Using a one-way cryptographic hash function to substitute a unique hashed value for protected information does not add to or change any of the underlying information (much less aggregate or analyze the data); it just hides a limited aspect of it. Redaction-by-encryption does not create anything new, but rather represents a better-tailored redaction process that eliminates only information that is in fact protected.

We acknowledge that redaction-by-encryption is different than traditional redaction-by-deletion (or redaction-by-obscuring-text-behind-a-black-box), and it may only be feasible in the context of electronically stored records. But when public records are stored in that format, differences occasioned by newer forms of data storage may call for differences in how the data is disclosed. For example, embedded metadata is an inherent part of a public record maintained in an electronic format, even though such metadata was nonexistent and effectively meaningless for the same record stored on paper. Accordingly, applying redaction-by-encryption as a more tailored form of redaction (even if made possible only by electronic storage) serves to ensure that the requestor receives access to the "real record" to the greatest extent possible.

The most analogous authority construing the federal Freedom of Information Act ("FOIA") bears this out. [Details omitted. -EV]

We note that redaction-by-encryption does not entitle Appellants to anything more than the public record as it actually exists.

Accordingly, to the extent the tables and fields in the existing databases (pre-redaction) are not in fact linkedand the record is not clear on that issueAHCCCS is not required to create new links to serve Appellants' purposes. But to the extent the links exist pre-redaction, all Appellants' complaint seeks, and what they are potentially entitled to, is preservation of those links that form part of the "real record."

To be sure, the journalists' request may ultimately prove unduly burdensome given the scale of data involved, and redaction (by encryption and otherwise) may ultimately prove insufficient to adequately anonymize the data given the type of data requested. But those questions require evidentiary development and must be considered on their facts, not as questions of law.

Plaintiffs are represented by Arizona State's First Amendment Clinic, and in particular by attorneys Jake Karr (who orally argued the case, and who's now at the NYU Technology Law & Policy Clinic), Gregg P. Leslie, and Zachary R. Cormier, and law students Jack Prew-Estes, Jake Nelson, Maria McCabe, and Vanessa Stockwill.

Read more from the original source:
Interesting Public Records Act Case - Reason