Flaws in Popular Self-Encrypting SSDs Let Attackers Decrypt Data

By: Swati Khandelwal

We all have something to hide, something to protect. But if you are also relying on self-encrypting drives for that, then you should read this news carefully.

Security researchers have discovered multiple critical vulnerabilities in some of the popular self-encrypting solid state drives (SSD) that could allow an attacker to decrypt disk encryption and recover protected data without knowing the password for the disk.

The researchers—Carlo Meijer and Bernard van Gastel—at Radboud University in the Netherlands reverse engineered the firmware several SSDs that offer hardware full-disk encryption to identify several issues and detailed their findings in a new paper (PDF) published Monday.

“The analysis uncovers a pattern of critical issues across vendors. For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys,” the researchers say.

The duo successfully tested their attack against three Crucial models of SSDs—Crucial MX100, MX200, and MX300—and four Samsung SSDs—840 EVO, 850 EVO, T3 Portable, and T5 Portable drives and found at least one critical flaw that breaks the encryption scheme. But researchers warned that many other SSDs may also be at risk.

The vulnerabilities explained below reside due to improper implementations of ATA security and TCG Opal, two specifications for implementing encryption on SSDs that use hardware-based encryption.

More: https://thehackernews.com/2018/11/self-encrypting-ssd-hacking.html

For Financial Services, Encryption is Essential – But So Is Performance

By: Aamir Lakhani

The financial services industry is one hit hardest by the heightened expectations of consumers to access information, receive help, and conduct transactions anywhere and at any time via their mobile devices. By 2025, Millennials are expected to generate 46 percent of all U.S. income, and yet over a fifth of them have never written a physical check to pay a bill. Instead, 38 percent use apps and mobile tools to make bill payments, and 71 percent consider their banking relationship to be transactional rather than relationship-driven.

In addition, more than one-quarter (27 percent) of Millennials are completely reliant on a mobile banking app. In fact, they are 1.3 times more likely than Gen-Xers and 2 times more likely than Baby Boomers to rely on a mobile banking app for regular banking activities.

For financial firms, the ability to offer such services represents a competitive advantage, with 75 percent of banks making investments to create and improve a customer-centric digital business model. Aside from benefitting consumers, greater accessibility to data on various devices and applications can also improve employee efficiency, meeting the common request for more open networks.

Personal Data at Greater Risk

This shift to online consumer banking has led to increasing data traffic volumes as more users rely on applications and endpoints to interact with their personal data. Addressing this growing volume of traffic has led many financial institutions to adopt cloud, and increasingly, multi-cloud environments. Which means that personally identifiable information (PII) is now regularly travelling across different network domains.

While this increases the accessibility of data for consumers, thereby making financial services firms more competitive, it also means that their data spans a larger potential attack surface, making it more susceptible to cyberattacks. As these attacks become more sophisticated, leveraging artificial intelligence and automation to more effectively detect and exploit vulnerabilities, financial services firms not only need to engage in digital transformation but to also do so securely – protecting the private data of consumers.

Greater Interest in Encryption

Regulators are taking a close look at financial services firms to ensure they are implementing the security controls necessary to keep user data private. One of the core security features being required by these bodies is encryption. Encryption refers to converting plain text into secure code that can only be deciphered with a decryption key. This ensures that data in motion across the network and the web, as well as data at rest in the cloud or data center, cannot be seen by anyone without the key – even if it is stolen – adding a strong layer of security.

Encryption for financial services firms is being recommended today by several regulatory guidelines, including the Federal Financial Institutions Examination Council (FFIEC) and the new General Data Protection Regulation (GDPR).

More: https://www.csoonline.com/article/3284351/security/for-financial-services-encryption-is-essential-but-so-is-performance.html

Email No Longer a Secure Method of Communication After Critical Flaw Discovered in PGP

By: Matt Novak

If you use PGP or S/MIME for email encryption you should immediately disable it in your email client. Researchers have discovered a critical vulnerability they’re calling EFAIL that exposes the encrypted emails in plaintext, even for messages sent in the past.

“Email is no longer a secure communication medium,” Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, told the German news outlet Süddeutsche Zeitung.

The vulnerability was first reported by the Electronic Frontier Foundation (EFF) in the early hours of Monday morning, and details were released prematurely just before 6am ET today after Süddeutsche Zeitungbroke a news embargo. The group of European researchers are warning people to stop using PGP entirely and say that, “there are currently no reliable fixes for the vulnerability.”

From the researchers:

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

More: https://gizmodo-com.cdn.ampproject.org/c/s/gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682/amp

The 9 most exciting phones and gadgets from MWC 2018.

By: JEFFREY VAN CAMP

Every spring, the smartphone world revolves around Mobile World Congress. Exhibitors and attendees from more than 200 countries congregate in the halls of the Fira Gran Via in Barcelona, Spain, debuting the latest in mobile tech. MWC is the largest mobile trade show on Earth. We’ve surveyed the announcements from every major tech company at the show this week. Here are the highlights.
01
Samsung Galaxy S9
PRICE$720
With the Galaxy S9, Samsung is doubling down on its winning formula. The new GS9 and S9+ have all the features Galaxy phones are known for, plus a few additions. Samsung moved the fingerprint sensor away from the camera so you won’t smudge the lens anymore, and photo performance in low light is improved thanks to the camera’s variable-aperture system. You also get Apple-inspired animated emoji and a new DeX dock that turns the phone into a desktop PC. Ships March 16 for $720. Choose the unlocked option. And did we mention it comes in Lilac Purple?
02
Nokia 8110 4G
Remember that phone from The Matrix where the receiver panel slid out to reveal the number pad? Take the blue pill because it’s back, courtesy of HMD Global, which now makes Nokia phones. The new Nokia 8110 comes shaped and colored like a banana too. The battery lasts over three weeks, but if you’re hoping for Android apps, look elsewhere. This is a standard old-school feature phone with its own download store—and, in true retro fashion, it comes with a copy of Snake.
03
Huawei MateBook X Pro
Just when you think there are no new capabilities to squeeze out of laptops, Huawei pushes the envelope. The new MateBook X Pro has a remarkable 14-inch 3,000 x 2,000 pixel touchscreen with such small bezels that it fits into a standard 12-inch notebook chassis. Huawei claims this ultraportable has the highest screen-to-body ratio of any laptop in the world. It’s also loaded with the latest Intel 8th Generation Core chips, an Nvidia GeForce MX150 graphics card, four Dolby Atmos-approved speakers, a fingerprint sensor, and 12-plus hours of battery life. The coolest detail: a webcam pops out of one of the function keys on the keyboard like the headlights on an old Corvette.
08
SikurPhone
Usually, a new phone at MWC will boast a fancy new screen or camera, but the SikurPhone’s sales pitch is strong security and data encryption. It claims that the SikurPhone is “hack-proof” and that its bespoke wallet app is the perfect way to keep your cryptocurrencies safe. It’s an Android phone with encryption plastered all over it, and a custom app store that only includes vetted apps. To back its claims, the company hired bug bounty hunters HackerOne to try to crack the phone. So far, the experts have failed. Sikur is asking $850 for the device, but that price includes peace of mind.

Comey says encryption stymies law enforcement, calls for ‘hard conversation’

By: sikur

FBI Director James Comey, who’s drawn criticism from both the left and the right for his handling of the Hillary Clinton email server investigation and a steady stream of national security leaks bemoaned the obstacles to law enforcement thrown up by encryption and said that Americans can’t expect “absolute privacy.”

“It is making more and more of the room of what the FBI investigates dark,” Comey said at a cybersecurity conference at Boston College Wednesday, the Boston Globe reported, though he maintained that he supported “strong encryption.”

MORE: https://www.scmagazine.com/comey-says-encryption-stymies-law-enforcement-calls-for-hard-conversation/article/642915/

 

Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist Lorep ipsum Lorep ipsum, journalist