Home Tags Confidentiality

Tag: Confidentiality

The P1735 IEEE standard describes methods for encrypting electronic-design intellectual property(IP),as well as the management of access rights for such IP.

The methods are flawed and,in the most egregious cases,enable attack vectors that allow recovery of the entire underlying plaintext IP.
Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key,among other impacts.
Wi-Fi Protected Access(WPA,more commonly WPA2)handshake traffic can be manipulated to induce nonce and session key reuse,resulting in key reinstallation by a wireless access point(AP)or client.

An attacker within range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocols being used.

Attacks may include arbitrary packet decryption and injection,TCP connection hijacking,HTTP content injection,or the replay of unicast and group-addressed frames.

These vulnerabilities are referred to as Key Reinstallation Attacks orKRACKattacks.
A vulnerability in the Cisco FindIT Network Discovery Utility could allow an authenticated, local attacker to perform a DLL preloading attack, potentially causing a partial impact to device availability, confidentiality, and integrity. The vulnera...
Tesla says the allegations are "without merit."
A vulnerability in the web-based management interface of the Cisconbsp;Smart Net Total Carenbsp;(SNTC) Contracts Details Page could allow an authenticated, remote attacker to perform a read-only, blind SQL injection attack, which...
Sodium bicarbonate is used in a variety of treatments but is inexplicably scarce.
Security threats are constantly evolving, but as Verizon's latest DBIR (Data Breach Investigations Report) shows, the more things change in information security, the more they stay the same.More than half (51 percent) of the data breaches analyzed i...
Confide: "The accusations set forth in the complaint are unfounded and without merit."
Wikileaks’ CIA dump is the biggest secret cache released so far.
It’s embarrassing to the CIA.
It undermines our intelligence efforts.

And it didn’t need to happen. The sad fact is that the world’s computers are not configured securely enough to match the confidentiality of the data they are protecting.

As a society we allow our computers to languish in a state that almost invites attackers to access them—even at the CIA, apparently.[ Watch out for 11 signs you’ve been hacked—and learn how to fight back, in InfoWorld’s PDF special report. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ] That may finally be changing, though remediation has been slow to roll out.
In my view, the tipping point was the Sony hack, which was so embarrassing and costly that it scared execs in a way that the Target, Home Depot, and Office of Management and Budget hacks did not.To read this article in full or to leave a comment, please click here
Independent assessment of SOC 2 Type 2 compliance demonstrates vendor’s continued commitment to protecting customers and their data securityLONDON, February 21, 2017 – NewVoiceMedia, a leading global provider of inside sales and contact centre technology that helps businesses sell more, serve better and grow faster, has successfully completed a Service Organisation Controls (SOC) 2 Type 2 examination based on the trust principles of security, availability and confidentiality.

Accountancy firm PricewaterhouseCoopers (PwC) performed a rigorous audit... Source: RealWire
There are generally accepted principles that developers of all secure operating systems strive to apply, but there can be completely different approaches to implementing these principles.
Another shot at spook-proofing e-mail It's taken longer than first expected, but the first fruits of Lavabit founder Ladar Levison's Dark Mail Technical Alliance have landed with the relaunch of the encrypted mail service he closed in 2013. After shuttering Lavabit, Levison joined hands with Silent Circle to form the DMTA and promised Lavabit would flow again in 2014. In 2015, Levison posted a GitHub repository putting forward a protocol to support fully “dark” e-mail: the Dark Internet Mail Environment, or DIME, which has “multiple layers of key management and multiple layers of message encryption”. The Libdime implementation offered both libraries and command line utilities, which is, after all, doing it the hard way: Lavabit Mark II puts that in the hands of users with the also-open-source Magma Webmail server implementation. The Lavabit mail server, Magma first appeared on GitHub in 2016. Levison writes “DIME provides multiple modes of security (Trustful, Cautious, & Paranoid) and is radically different from any other encrypted platform, solving security problems others neglect.

DIME is the only automated, federated, encryption standard designed to work with different service providers while minimising the leakage of metadata without a centralised authority.

DIME is end-to-end secure, yet flexible enough to allow users to continue using their email without a Ph.D. in cryptology.” So what's in the protocol? Let's look at the specification, published here (PDF). DIME's message flow.
Image: The Dark Mail Technical Alliance You don't get perfect security while you've still got wetware involved.

The DIME document notes that if a user has a weak password or bad endpoint security, all bets are off. Within that constraint, the DMTA says DIME's designed to provide “secure and reliable delivery of email, while providing for message confidentiality, tamper protection, and a dramatic reduction in the leakage of metadata to processing agents encountered along the delivery path”. At the top level, the four components of the system architecture are e-mail clients; privacy processing agents; key stores (with a resolver architecture to retrieve keys, in DIME called “signets”); and the encrypted message objects. To most users, The Register will assume the only new concept here is the privacy processing agent (PPA).

There are two kinds, the organisational PPA, and the user PPA. The Organisation Privacy Agent (OPA) talks to both user e-mail clients and the Internet at large, handling user key management to create “a secure transit channel that hides all information about the message using transport layer security”.
It also “provides access to the envelope information needed for immediate handling.” The User Privacy Agent (UPA) handles user-side crypto functions, and can reside in the user's e-mail client or, in Webmail implementations, on the server. DIME has three modes of operation: Trustful – the user trusts the server to handle privacy; Cautious – the server stores and synchs encrypted data, including encrypted copies of private keys and messages.

Encryption can be carried out inside a user's browser; Paranoid – the server never sees a user's keys.

There's no Webmail, and if you want to use multiple devices, it's up to you to synch them across different keyrings. In technical terms, that means the system has to automate all aspects of key management; encrypt and sign messages without a user having to learn how to run it; and resist manipulation (including, ideally, even if a client is compromised. The layering of encryption, the standard says, is designed to protect messages, even if (for example) a server along the way is compromised. DIME relies on a concept of “signets” for keys: organisational signets, which are keys associated with a domain; and user signets, the key associated with an individual e-mail address. “The basic validation model is to obtain a signet from a credible primary source and then confirm it with another pre-authenticated source.

The two pre-authenticated sources currently available are a management record signed using DNSSEC or a TLS certificate signed by a recognised Certificate Authority (CA).

Both can be cryptographically traced by a signet resolver back to a trusted key that is shipped with the resolver. As well as the Webmail version, Lavabit says it wants to develop clients for Windows, Mac OS and iOS, Linux and Android. ® Sponsored: Customer Identity and Access Management