IBM Security Expert Says Prepare For Quantum

As businesses come to realise that they may be required to store some data for decades, encrypted data should be secure well beyond its useful life, and with this in mind, security architect for Benelux at IBM, Christiane Peters, is suggesting that businesses should start preparing now to implement post-quantum data protection.

Post What?

The suggestion is that, in a relatively short time, quantum computers will be commercially available. One threat from this could be that quantum computers in criminal hands could be used to try and crack encrypted business data. For example, in the US, the National Security Agency (NSA) warned back in 2015 that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.

The encryption algorithms that can stand up to attacks from quantum computers are known by several names including post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms.

What’s The Problem?

Ultimately, with technology advancing at such a rapid rate and with organisations needing to keep some data for long periods of time, there is the risk that even though this sensitive data is stored in secure encrypted formats now, this encryption could be cracked in the not-too-distant future by cyber-criminals with access to commercial supercomputers. Being able to crack encryption could mean encrypted data could no longer be safe even if it is stolen. For example, this could mean that encrypted data lost / stolen in a breach this year could be accessed in the future. Indeed, it is known that some data is being stolen today with this in mind.

How To Prepare Now For Quantum Computer Risk

Christiane Peters is reported as suggesting that ways in which companies could prepare to counter the encryption code-cracking risk posed by the ability of cyber-criminals to use commercially available quantum computers include:

  • Developing / updating crypto policies.
  • Creating an inventory of all systems and applications using cryptography.
  • Classifying data and mapping data flows.
  • Creating an enterprise-specific outlook and timeline for quantum safe crypto.

Developing a Post-Quantum Implementation Strategy

Understanding that encryption is just one way to protect data, combining other capabilities with encryption will help overall cyber resilience over time. For example, companies could also focus on certificate management, mobile device management, application scanning, data loss prevention, security incident response, access control, data classification and digital forensics.

Personal Data Protection Could Pay Off In The Long Term

Christiane Peters, commenting on the findings of a Ponemon Institute study, has also pointed out that, as well as preparing for the security of cryptography in the post-quantum era, businesses that are able to focus on data protection could, by investing in security and encryption now, reap the benefits in the longer term. For example, the report shows that the average cost saving with extensive use of encryption is $13 per data record.

What Does This Mean For Your Business?

What the experts appear to be saying is that even though the use of robust, high-assurance encryption technologies may make the decrypting of protected data impossible in the short-term, this may not always be the case. The power of super-computers may mean that, quite soon, criminals may be able to crack encryption codes. In order to ensure that sensitive company data, particularly personal data is safe in the longer term, companies may want to start looking into ways that they can prepare for quantum data protection standards.

Fatal Security Flaws Discovered in Solid State Drives (SSDs)

Researchers from Radboud University in the Netherlands have released a paper highlighting several security flaws that they’ve discovered in SSDs which mean that data from a flash disk can recovered in more than one way, even if it’s supposedly self-encrypted.

What Is An SSD?

An SSD is a solid-state storage device that uses integrated circuit assemblies (memory chips on a circuit board with and In/Out interface to feed power and transfer data) as memory to store data persistently. Even though it doesn’t actually contain a physical disk, it is sometimes called a called solid-state disk.

Hardware Encryption Not Better Than Software Encryption

Whereas the popular belief is that AES encryption should stop you from accessing data on a disc that isn’t plugged in to its home system (encryption with SSD through ATA security and TCG Opal encryption methods) and that hardware encryption is similar to or better than software encryption, the findings of the research appear to disprove this.

Not Just Cheap Drives Vulnerable

The research looked at top-of-the-range drives including models by Crucial and Samsung, and found that only the T3 and T5 (external) drives remained secure, whereas the others were found to have fatal vulnerabilities, some to non-cryptographic hacking. Even BitLocker, the Microsoft encryption with each copy of Windows was found to be vulnerable. According to the research, vulnerabilities are such, across the range of vendors, that determined attackers could access data in many so-called encrypted drives without any keys or passwords.

Vulnerable to a Range Attack Methods

Through the reverse-engineering of the firmware of a sample of SSDs, the researchers were able to discover a number of vulnerabilities in self-encrypting SSDs that can leave them open to a range of attacks and exploits. These could include attackers seizing full control of the CPU, corrupting memory, and cracking default passwords, thereby bypassing a custom password set by a user.

Example

The researchers provided a case study of how an attacker could try to breach a locked Crucial MX300 drive with encryption via TCG Opal. The case study outlines how an attacker could install modified firmware that includes read/write capabilities, and then, if encryption is performed via TCG Opal, write executable code to bypass several layers of security, and thereby access the precious data.

What Does This Mean For Your Business?

The discovery by the researchers shows that hardware-based encryption is far less secure than businesses may have thought and that hardware-based full-disk encryption may not, in fact, be a more secure alternative to software-based methods. Also, it seems that the security flaws are in leading products across multiple vendors.

Businesses may, therefore, be best advised not to rely solely on hardware encryption as offered by SSDs for confidentiality. In fact, it may be better to also employ an open source, audited, software full-disk encryption solution.

As well as alerting businesses to the risks of relying solely on the apparently flawed hardware encryption offered by SSDs, this story should surely make vendors take another close look at their SSD products and how the security of them can be improved.

Tech Tip – Clearing & Organising Your Screen

If you sometimes have too many windows open and you need to clear things up and / or get back to the desktop view in Windows 10 as quickly as possible, here are a couple of tips that can help.

Windows 10 has a ‘shake your screen’ feature that enables you to quickly clear all the open windows so you can focus on one. Here’s how it works:

Grab the window you want to focus on from the top title bar.

Hold it and shake it. All other open Windows will then automatically minimise. 

Shake it again to bring everything back!

Also, if you need to minimise all your open windows to get back to the desktop quickly:

Click on the bottom right corner, to the right of the line on your screen. All open windows will minimise. Click it again and all the windows will reappear in their original positions.

Microsoft Education For Dyslexics

In partnering with charity ‘Made by Dyslexia’, and in signing the Made by Dyslexia pledge, Microsoft has announced that it is the first company to sign a global pledge to help people with dyslexia.

Dyslexia

Dyslexia is a lifelong condition that is not related to intelligence. Those with the condition experience difficulty with reading, spelling, writing and sometimes speaking because their brains have trouble recognising or processing some types of information.

It is estimated that it affects 700 million people worldwide and at least 5% of schoolchildren have dyslexia. In many cases, these schoolchildren are often (mistakenly) labelled as having a learning disability, which is why it is believed that they could make up as much as 85% of special education classes.

The Pledge & Partnership

The ‘Made By Dyslexia’ pledge that Microsoft has signed-up to states that the tech giant will endeavour to recognise dyslexia as a different and valuable way of thinking, understand the importance of identifying each dyslexic and their pattern of strengths and challenges, and give targeted support to dyslexics to enable them to harness their strengths and flourish.

The Pledge says that this can be achieved by “skilling up” staff in schools with regard to spotting, understanding, and how best to support those with dyslexia, using digital screeners to check whether people are dyslexic, and making sure that tests and assignments are adjusted so dyslexics can demonstrate their full knowledge and skills.

Through the pledge, Microsoft is essentially partnering with the global charity ‘Made By Dyslexia’, which describes itself as being led by successful (and famous) dyslexics.

What Will Microsoft Do For Dyslexics?

Microsoft has said that by adhering to the pledge, it hopes to democratise Dyslexia support, and it’s been reported that Microsoft’s contribution will include the creation of free training materials, including short films and reading tools, which are designed to help teachers and parents improve ways of spotting Dyslexia. Microsoft is reported to be working with top researchers and partners in the dyslexic community, with the hope of encouraging those involved in a child’s life to intervene earlier, and thereby improve their future.

Microsoft has announced that it will expand access to (and improve ease of) implementation of a number of tools, including:

  • The Dictation Tool in Learning Tools – to help students to write with their voice.
  • The Immersive Reader tool – to help students with maths problems, to invite all learners into the conversation, and to support students in their native language with real-time translation.
  • A partnership with the University of Washington – to help students sound out words.

What Does This Mean For Your Business?

As the ‘Made By Dyslexia’ charity demonstrates, dyslexia needn’t be a barrier to success if the right support and tools are available to help those with the condition. Dyslexia is not linked to intelligence, and it presents many extra challenges to those who have the condition. Understanding this and providing help in the form of adherence to the pledge, means that Microsoft is seen to be taking a high profile lead and demonstrating that it understands that those with Dyslexia are just as valuable in the workplace as those without, and that providing help at a young age can help dyslexic people to reach their potential.

Microsoft, like many other big tech companies, is showing how old problems can be tackled with new methods, hopefully with success.

New Political Ad Transparency Rules Tested With Pro-Brexit Website

No sooner had Facebook announced new rules to force political advertisers to prove their identities and their ad spend than an anonymous pro-Brexit campaign website with a massive £257,000 ad spend was discovered.

Mainstream Network

The anonymous website and campaign identified only as ‘Mainstream Network’ was discovered by Campaign group 89up. Clicking on the Facebook adverts by Mainstream Network takes users to a page on their local constituency and MP, and clicking from there was found to generate an email to their MP requesting that the Prime Minister should abandon her Chequers Brexit deal. It has also been discovered that a copy of each of the emails is sent back to Mainstream Network.

11 Million People Reached

Campaign group 89up estimate that the unknown backers of Mainstream Network must have spent in the region of £257,000 to date on the Facebook adverts, which 89up estimate could have reached 11 million people.

What’s The Problem?

The problem with these political adverts is that Facebook has recently announced new rules in the UK that require anyone wishing to place an advert relating to a live political issue, promoting a UK political candidate, referencing political figures, political parties, elections, legislation before Parliament and past referenda that are the subject of national debate, to prove their identity, and prove that they are based in the UK. Policing this should involve obtaining proof of identity and where they are based e.g. by checking a passport / driving licence / resident permit. According to Facebook, any political adverts must also carry a “Paid for by” disclaimer to enable Facebook users to see who the adverts are from, and the “Paid for by” link next to each advert should link through to a publicly searchable archive of political adverts showing a range of the ad’s budget and number of people reached, and the other ads that Page is running, and previous ads from the same source.

GDPR Breach Too?

It is also believed that sending a copy of the email back to Mainstream Network, in this case, could also constitute a breach of GDPR.

First Job For Facebook’s Nick Clegg

What to do about Mainstream Network and their campaign could end up being the first big task of Facebook’s newly appointed global communications chief and former deputy PM Sir Nick Clegg. It’s been reported that Mark Zuckerberg himself and Facebook’s chief operating officer Sheryl Sandberg were personally involved in recruiting Mr Clegg given the importance and nature of the role.

What Does This Mean For Your Business?

After Facebook announced new rules to ensure political ad-transparency, the discovery of Mainstream Network’s anonymous adverts and the scale of the ad spend and reach must be at the very least embarrassing and awkward for Facebook, and is another piece of unwanted bad publicity for the social network tech giant. Whatever a campaign of this kind and scale is for, Facebook must really be seen to act in order to retain the credibility of its claims that it wants political ad transparency, not to lose any more of the trust if its users and advertisers, and to avoid being linked with any more political influence scandals.

Facebook has recently faced many other high profile problems including how much tax it pays, the scandal of sharing user details with Cambridge Analytica and AggregateIQ (over the UK referendum), a fine by the ICO for breaches of the U.K.’s Data Protection Act, and a major hack, and is perhaps with all this in mind that it has hired a former politician and UK Deputy Prime minister. Some political commentators have also noted that it may be very useful for Facebook to have a person on-board who knows the key players, who has reach and is able to lobby on Facebook’s behalf in one of its toughest regulatory areas, the European Union.

Facial Recognition For Buyers Of Alcohol & Cigarettes

A pilot scheme involving NCR, the US self check-out machine maker for Asda, Tesco and other UK supermarkets, and Yoti’s digital identity app will use an integrated camera linked to facial recognition software to help improve, simplify and speed up age approval at self check-outs.

Speed & Frustration Reduction

The system is intended to tackle problems such as frustration and delays caused when customers wait for approval when buying alcohol at self check-outs, challenges faced by supermarket employees who have to determine a shopper’s age and either accept or deny them a sale of alcohol or cigarettes, and to help the supermarket to stay on the right side of the law.

How Will The System Work?

An AI-equipped camera will be integrated in the vicinity of the checkout and the facial recognition software will use AI to help it estimate the age of shoppers when they are buying age-restricted items. The Yoti app does, however, require a customer to register their ID and face with the company beforehand.

What About Privacy and Data Security?

Wherever facial recognition software is used, there are always concerns about how the processing and storage of those images (that count as personal data under GDPR) is managed in terms of privacy and security. Yoti is reported to have said that its system will not retain any visual information about users after they have made a purchase.

Where and When?

There are no confirmed details as yet about exactly which supermarket(s) will be involved in the pilot, although some media reports appear to indicate that Tesco, Morrisons and Asda could be the most likely candidates for piloting the technology at some point later this year.

Face Scanning Used For Adverts

A face-scanning system, made by Lord Alan Sugar’s company Amscreen, is known to have been used already by Tesco at petrol station tills in order to target advertisements at customers depending on their estimated age.

What Does This Mean For Your Business?

Anything that reduces customer frustration, as well as speeding-up and simplifying the passage through tills, and leveraging staff resources through saving them from having to constantly go to different tills to approve purchases is likely to be good news for the supermarkets. If this system proves to be effective, accurate and successful, it could have many other opportunities for use in other age-restricted services e.g. venue / event entry, and the purchase of certain dangerous / restricted products, and the gambling industry.

While it may make perfect economic and practical sense for companies to use this kind of system, it could be a double-edged sword with some customers. For example, whereas some customers may see the practical and responsible side of the system, others may consider it an unnecessary intrusion with the potential to impact on their privacy and security.

Each week we bring you the latest tech news and tips that may relate to your business, re-written in an techy free style. 

Archives