Tag: backdoors

29 Aug 2016

War on Encryption

Governments, and specifically their law enforcement, see encryption apps as potential barriers in investigations. We all remember the infamous Apple and FBI case, where the FBI wanted Apple to break their own security. Similarly, by weakening encryption in apps like Facebook’s WhatsApp and Apple’s iMessage, governments look to gain golden surveillance keys, with the privacy rights of the average person to be expectedly disregarded.

Jacob Ginsberg, senior director at Echoworx, argues that ” If you look inside all houses, you will catch more criminals, but is this going too far? We also have to consider how this places the majority of law-abiding citizens at risk.”

article_will

Read the full article here

The need to provide personal security to people is as crucial as providing physical security. The demands to weaken encryption merely add to the already uphill battle CISOs are facing! Recently, Avivah Litan, a Gartner analyst was quoted saying, “Companies are worse off by 100% [with cybersecurity] in comparison to ten years ago because the world is more complicated now.” That explains the fact that 16 billion USD were stolen from 12.7 million identity fraud victims last year.

The average cost of addressing a data breach tops 3.8 million USD. The cost of a data breach varies by industry. The average cost of a data breach per lost or stolen record globally is 154 USD. However, if a healthcare organization has a breach, the average cost could be as high as 363 USD. Further, a data breach due to human error or negligence costs 137 USD per record.

Echoworx believes in strong cyber security, preserving privacy rights, and the expectation of secure digital communication. Its email encryption software, OneWorld helps corporations from all industries to secure information and communication in and outside of their enterprise. To know more about strong email encryption, the risks associated with weakened encryption,  and why it is a must for your company:

  • Download our REPORT  | How Much Do You Trust Email?
  • Download our DATA SHEET  | OneWorld Enterprise Encryption

By Will Nathan, Enterprise Account Executive, Echoworx

27 May 2016

First the IP Bill, Then What?

In the face of democratic debate, against all the clamoring voices of human rights organizations, global tech firms such as Facebook and Google, lawyers, journalists, and a host of academics; it seems that with regrettable flippancy, the Investigatory Powers Bill will be passed later this year.

The UK government’s plan for mass surveillance opens the door to indiscriminate and intrusive ‘snooping’. Furthermore, the provisions set out by Teresa May could undermine almost all cybersecurity and encryption measures currently in place. These two powerful and cogent arguments have been meekly put forward in parliament, and have now seemingly been rejected by the UK government.

The human rights impact of the Bill on British people will be huge, but very little has been made of the global and economic ramifications. The Bill, while costing the country billions in lost business, could also legitimize similarly heavy-handed practices in other states.

The UK government has shown that even in one of the most technologically developed countries, that privacy can be eroded by circling democratic process. The message from the UK is clear – it’s acceptable to pass ambiguous ‘snooping’ laws with very little backing. This sets a dangerous precedent and creates a genuine risk that other countries will adopt a similar approach of using a general lack of understanding and capitalizing on fear to push through laws which destroy user privacy.

Other major states are already considering similar moves. France’s parliamentarians recently reformed a penal bill that would punish companies if they refused to provide decrypted versions of messages their products have encrypted. For now, the French government has rejected encryption backdoors as ‘the wrong solution’, but the debate is at tipping point.

After WhatsApp announced it would push encryption further into everyday life, it immediately fell into hot water in Brazil for not storing messages demanded by the country’s courts. After various delays, Google has also moved to default encryption in the most recent release of Android, while Amazon has backtracked, promising that encryption will make a return on its newest Fire operating system. Most infamously, the FBI vs. Apple debate has rolled and rolled, and finally seems to have come to an inconclusive stop.

What is clear is that across the globe there is fast becoming a divide – governments vs. technology companies. The UK has set the precedent: simply pass draconian surveillance laws, and the problem is solved.

The global implications are huge, but the Bill will also cost taxpayers in two tangible ways. The government estimates that implementing the Bill will cost £174m, while experts suggest the figure will be well over £1 billion. These figures are based on a similar scheme that was rejected on cost grounds in Denmark, and have been scaled up proportionally for the UK.

Far larger, however, is the economic cost when companies flee Britain’s shores when the Bill passes. Companies are concerned that the proposed Bill will introduce state security into the heart of day-to-day operations, and will therefore move headquarters further afield. The UK’s data storage/hosting market would be crippled and the country could lose over £10 billion worth of business almost overnight.

The Bill hardly instills any confidence, especially while the implementation and ramifications barely seem to have been considered. A war over encryption is likely to rage, and its impact on the digital economy and day-to-day lives cannot be overstated.

By Jacob Ginsberg, Senior Director, Echoworx

This article originally appeared in Info Security Magazine

07 Apr 2016

The Apple hack: A problem specifically engineered to protect us

The FBI got around ordering Apple to cooperate in breaking its own security, but when the next case arises, and it will, should the company refuse to help, the outcome will have far reaching implications.

Regardless of the fact that the FBI found a way around ordering Apple to assist the FBI in cracking the password on an iPhone used by a shooting suspect in the San Bernardino murders, the central issue was not resolved and there are some pretty compelling reasons why Apple, and others who find themselves in a similar situation, should just say no to such orders.

The heart of the problem is this: The issue is not about this phone in this situation. What could have happened if Apple had complied would potentially have affected every phone (and every device) in every situation.

Companies like Apple take security seriously. They’ve had to, for many reasons. The new reality is that mobile devices such as phones, laptops and tablets are not just personal anymore. They’re our address book, our calendar, our diary, our email tool, all rolled into one. At the same time, they have also become business devices.

With the rise in bring your own device (BYOD) policies and Mobile Device Management (MDM) solutions, companies are in essence saying: “It’s OK to use your own device to transmit, open and work on sometimes sensitive company documents—as long as they are secure,” as mandated by legislation such as HIIPA and Sarbanes-Oxley. Companies do this because they trust the inherent security features in your device and, thanks to changes Apple made to their software after the Snowden incident, the data on their devices was considered only accessible to someone who has the device passcode. Apple specifically designed its security so not even they could decrypt it.

The FBI wanted Apple to create a custom iOS that would in essence eliminate or override these safeguards.

On one level, it may seem reasonable, even justified, for the government to make this legal intercept request as it’s for public safety. The problem is the slippery slope it creates. This case may have been relatively clear cut, but what about the next time, and the next? What if custom code had been created and then gets in the wrong hands? The even greater issue here is the fact that, once created, this passcode workaround can be compelled time and time again. Few expect that this will be the last time that Celllebrite are called upon to access an iPhone’s data – and not just by the FBI.

The request created a powerful precedent on a government’s right to encroach on its citizens’ privacy and companies’ right to create secure software. It is not difficult to foresee a time in the near future where authorities could compel technology companies like Apple to deploy software over-the-air (OTA) that would share the location, audio and video of their customers’ devices. Legislation is already rearing its head in the United States and UK on data privacy, and it’s causing some businesses to consider things like jurisdictional advantage as part of their core business strategies. More legislation isn’t necessarily the answer as society as a whole wants information to be more secure.

The implications are far reaching. Having a backdoor built or leaving the ‘key under the mat’ undermines businesses and the security of transactions, whether they be business related or personal. It impacts just about every type of business in every Western economy. And it also means that governments are clearly failing to see the importance of personal security, and that has significant impact for both business and society.

So, what does this case mean for the future of data and data security? If Apple or any other organisation is forced to provide a backdoor then companies will be forced to re-engineer future versions of their product, making them less secure. Apple has already moved in the other direction with the introduction of Secure Enclave in A7 devices. Secure Enclave isolates security safeguards from the iOS thus making it even harder to access encrypted data or deploy brute force access attacks, yet still not impossible. Nothing being discussed in this case would have protected the journalist that talked about his own feelings of violation when his email was hacked while using free Wi-Fi on an airplane recently.

The industry was closely watching the Apple case because of the precedent it was expected to set on several fronts. The general feeling was, if this can happen to Apple, it can happen to any company. It’s a fine line between protecting people’s physical security while compromising their personal security. Apple was doing this for all of us – taking a stand that our private data should remain so.

As it turned out, this was not the precedent-making case we expected, but it will come, where a company says no to backdoors, and cannot be hacked, but is being legally compelled by the government to cooperate, and the ramifications of such a case will be felt for years to come, regardless of outcome.

By Chris Peel, Vice President Engineering, Echoworx

This article originally appeared in SC Magazine