STE WILLIAMS

Welcome to another episode of Techknow, the podcast in which Sophos experts debate, explore and explain the often baffling world of computer security.

In this episode, entitled The End of XP, Paul Ducklin and Chester Wisniewski investigate the what, the why and the how of dealing with the impending end of support for Windows XP in 2014.

Don’t worry: even if you have computers that you simply won’t be able to update in time, for example because they run bespoke industrial control software, or a legacy financial application, Duck and Chet have some healthy suggestions for you.

They also share some insights into why Microsoft hasn’t simply packed all the improved security components from Windows 7 and 8 into the aging XP, leading to the 08 April 2014 deadline.

If you’re still wrestling with making the switch away from XP, this podcast will give you some handy tips for the future; if you’ve already out in the time and effort to move, listen and be reassured that the experts think you’ve done the right thing!

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Previous episodes you might also like

• Sophos Techknow – Understanding vulnerabilities
• Sophos Techknow – Two-factor authentication
• Sophos Techknow – All about Java
• Sophos Techknow – Understanding SSL
• Sophos Techknow – Patching: lead, follow, or get out of the way?
• Sophos Techknow – Busting Password Myths

Get this and other Sophos podcasts

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bFh8IOjN6Cs/

The old adage “If it sounds too good to be true, it probably is” still holds true online folks.

Even with the incredible sales upcoming in the US and Canada for Black Friday/Cyber Monday.

Here is a spam using one of the most desirable brands of this upcoming holiday season in a manner that is certainly too good to be true:

“Apple Thanksgiving Prices Now Available
Starting November 13th:
Everything reduced by 90 percent through Thanksgiving weekend
…”

Now, I’m no Apple fan-boy, but at 90% off even I might be tempted to pick up a new MacBook Pro. As you likely already guessed, it’s a scam.

Like most spam campaigns it will likely result in different web pages being displayed for users from different geographic locations.

The sites I was able to reach were chock full of Google Adwords in an attempt at revenue generation, but I didn’t find anything malicious.

With the holiday season approaching we will likely continue to see spammers try to blur the lines between legitimate bargain prices and scams.

Also a good time to remember that your local postal service (USPS, Royal Mail, Canada Post, etc) and delivery companies like UPS, FedEx and DHL are not going to email you asking you to open attachments.

Most of these messages are delivering banking Trojans like Zeus (ZBot) which in turn are further infecting victims with Cryptolocker ransomware.

We all know not to do it and now is the perfect time to practice:

• Don’t click links in emails.
• Don’t open attachments you aren’t expecting.
• Don’t believe online promotions that are too good to be true.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/IbyhkaaraZE/

Quick guide to disaster recovery in the cloud

Microsoft has urged the Windows world to dump the once trusty but now distrusted RC4 encryption algorithm – and pick something stronger. Cisco has also told its customers to “avoid” the cipher.

RC4, developed in 1987, is a popular stream cipher that’s often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses.

Academics found flaws in the algorithm years ago, and top-secret documents leaked by ex-NSA contractor Edward Snowden this year suggest US and UK spies have developed “groundbreaking cryptanalysis capabilities“, which ultimately allow intelligence agencies to break RC4 encryption. Distrust of the cipher is therefore widespread but far from universal.

While some experts are sceptical US and UK spies can crack the algo at will, Jacob Appelbaum, a computer security researcher and leading Tor developer, bluntly warned earlier this month: “RC4 is broken in real-time by the ‪NSA‬ – stop using it.” Ivan Ristic, director of engineering at computer security biz Qualys, added: “Even if there is no evidence, it’s prudent to assume RC4 is fully broken.”

Now this week, Microsoft has gone public to “strongly encourage customers to evaluate, test and implement the options for disabling RC4 to increase the security of clients, servers and applications”. Specifically, Redmond wants people to switch to crypto-protocol TLS 1.2 – as used in HTTPS, secure SMTP, VPNs and other tech – and use the strong cipher AES-GCM.

Networking giant Cisco has also, as of this month, downgraded RC4 from “legacy” to “avoid” in its recommendations for cryptographic algorithms.

While moving away from RC4 may seem like a no-brainer in the circumstances, the situation is a bit more complicated than that.

“The problem is stream ciphers like RC4 were one the primary defences used by many websites against the infamous BEAST and Lucky Thirteen attacks,” explained Chester Wisniewski in a post on the Sophos Naked Security blog.

“Fortunately TLS 1.2 and AES-GCM are not vulnerable to these attacks and can now officially be considered mainstream,” Wisniewski said, adding that the latest versions of web browsers Google Chrome, Firefox, Safari and Opera support TLS 1.2 and AES-GCM.

Windows 8.1 and Internet Explorer 11, both made available mid-October, default to TLS 1.2 and shun RC4. Microsoft has now provided a mechanism to disable the use of RC4 in Windows 7, 8, RT, Server 2008 R2 and Server 2012.

“With Microsoft on board, hopefully we can bid goodbye to old versions of SSL and TLS for good,” Wisniewski concluded.

Redmond published advice, tools and more information in this extensive blog post. The software giant added:

In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations. Microsoft recommends TLS1.2 with AES-GCM as a more secure alternative which will provide similar performance.

The recommendation comes as a top Microsoft executive admitted that the Windows maker does not encrypt its data-centre links, a ripe target for the NSA and GCHQ.

Bake me a hash cake

In a related move, Microsoft also announced that beginning on January 1, 2016 Windows will no longer support the use of X.509 certificates issued using the aging SHA-1 hashing algorithm for SSL and software code signing:

Microsoft is recommending that customers and CAs stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognising the validity of SHA-1 based certificates after 2016.

The older MD5 hashing algorithm was considered weak for many years, but still supported by Windows because many certificate authorities were lax in updating and issued valid MD5 certificates long after the technology was declared flaky.

SHA-1, published in 1995, is significantly stronger than MD5, but Microsoft is withdrawing support for the technology before it is broken, using its market position to push change towards wider use of the newer SHA-2 set of functions: SHA-224, SHA-256, SHA-384 and SHA-512. Encryption experts welcomed the move.

“SHA-1 isn’t broken yet in a practical sense, but the algorithm is barely hanging on and attacks will only get worse,” wrote encryption guru Bruce Schneier. “Migrating away from SHA-1 is the smart thing to do.” ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/ms_moves_off_rc4/

REDMOND, Wash., Nov. 14, 2013 /PRNewswire/ — Microsoft Corp. on Thursday announced the opening of the Microsoft Cybercrime Center, a center of excellence for advancing the global fight against cybercrime. The Cybercrime Center combines Microsoft’s legal and technical expertise as well as cutting-edge tools and technology with cross-industry expertise, marking a new era in effectively fighting crime on the Internet.

Each year, cybercrime takes a personal and financial toll on millions of consumers around the globe. The Cybercrime Center will tackle online crimes, including those associated with malware, botnets, intellectual property theft and technology-facilitated child exploitation. The work done at the Cybercrime Center will help ensure that people worldwide can use their computing devices and services with confidence.

“The Microsoft Cybercrime Center is where our experts come together with customers and partners to focus on one thing: keeping people safe online,” said David Finn, associate general counsel of the Microsoft Digital Crimes Unit. “By combining sophisticated tools and technology with the right skills and new perspectives, we can make the Internet safer for everyone.”

The Cybercrime Center is located on Microsoft’s campus in Redmond, Wash. The secured facility houses groundbreaking Microsoft technologies that allow the team to visualize and identify global cyberthreats developing in real time, including SitePrint, which allows the mapping of online organized crime networks; PhotoDNA, a leading anti-child-pornography technology; cyberforensics, a new investigative capability that detects global cybercrime, including online fraud and identity theft; and cyberthreat intelligence from Microsoft’s botnet takedown operations.

The Cybercrime Center includes a separate and secure location for third-party partners, allowing cybersecurity experts from around the world to work in the facility with Microsoft’s experts for an indefinite period of time. The dedicated space enriches partnerships across industry, academia, law enforcement and customers — critical partners in the fight against cybercrime. With nearly

100 attorneys, investigators, technical experts and forensic analysts based around the world, the Microsoft Cybercrime Center is well positioned to make it safer for people online worldwide.

“In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft,” said Noboru Nakatani, executive director of the INTERPOL Global Complex for Innovation. “The security community needs to build on its coordinated responses to keep pace with today’s cybercriminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively.”

More information about the Cybercrime Center can be found at http://www.microsoft.com/news/presskits/dcu. Customers are encouraged to visit http://www.microsoft.com/security to learn about malware and help ensure their computers are not infected; if malware is present, the site offers tools to help remove the infection. All computer users should exercise safe practices, such as running up-to-date and legitimate computer software, firewall, and antivirus or antimalware protection technologies. People should also exercise caution when surfing the Web and clicking on ads or email attachments that may prove to be malicious.

Article source: http://www.darkreading.com/attacks-breaches/microsoft-unveils-state-of-the-art-cyber/240163924

New York, November 12th, 2013 – Safe-T, a provider of secure front-end and enterprise collaboration solutions, announced today the launch of its disruptive front-end perimeter security solution, RSAccess Secure Front End. Using Safe-T’s patented technology, RSAccess eliminates the need to store sensitive data in the DMZ (demilitarized zone) and to maintain incoming firewall ports, which can expose the internal network to cyber-attacks. RSAccess reduces the risk of cyber-attacks and simplifies network configurations resulting in reduced operating expenses and the costs associated with data loss.

In response to a rising number of cyber-attacks, many organizations have added a DMZ to prevent outside users from gaining direct access to company confidential data. However, this approach can put sensitive information that resides in the DMZ at risk. Moreover, organizations usually deploy a reverse-proxy solution that maintains incoming firewall ports from the DMZ to the internal network of the organization thereby exposing the internal network to cyber-attacks.

Utilizing two nodes, one on each side of the firewall, RSAccess receives requests and streams data, rather than the traditional method of storing sensitive data in the DMZ. RSAccess inspects and controls incoming traffic on the application layer to detect and mitigate attacks of viruses, Trojans and malware both on clear channels and encrypted channels such as HTTPS.

RSAccess paves the path to the elimination of the traditional role of the DMZ and improves security by closing incoming firewall ports, preventing hackers from accessing the internal network and eliminating sensitive data from the applications servers and database in the DMZ. This technology can also be used to secure connectivity between classified networks in the organization without exposing one sub-network to another.

Providing an immediate cost savings by eliminating duplicated application licenses and the hardware costs of front-end servers, RSAccess also introduces operational efficiency by eliminating the need for constant data synchronization between the internal application servers and the servers at the DMZ.

ECI Telecom currently uses Safe-T’s RSAccess to tighten its DMZ security and enable secure sharing of sensitive information with its 2,400 employees, suppliers, partners and customers across the globe. Yuval Illuz, Head of Global Infrastructure and IT Operations at ECI Telecom commented, “With RSAccess we were able to eliminate some of our web front-end servers in the DMZ, which resulted in a reduction of files storage in the DMZ, a cost reduction of applications servers and licenses and also worry-free secure collaboration with outside parties. Safe-T’s innovative solution has improved both our IT security and efficiency.”

“At Safe-T we are committed to revolutionizing the way organizations utilize the DMZ. With RSAccess organizations can take a fresh look at the way they deploy and secure applications, and eventually to eliminate the expensive applications’ front-end servers and databases from the DMZ, while keeping their sensitive data inside the organization,” said Ronen Kenig, VP of Marketing and Product Management at Safe-T. “Our strategy is to provide sophisticated systems that protect enterprise data, and are also easy to use and deploy to bring value to our customers.”

Safe-T’s RSAccess Secure Front End is part of the Safe-T Data Protection Suite that also includes secure email, secure business integrated managed file transfer, and data scanning tools. To learn more about RSAccess please visithttp://www.safe-t.com/landingrsaccess/.

About Safe-T

Safe-T is a provider of secure front end and enterprise collaboration solutions for the entire scope of data security including secure e-mail, managed file transfer, and data scanning. Safe-T’s unique open extensible and customizable architecture, integrates with third party security and enterprise applications and solutions, for end-to-end security coverage across business processes. With offices in North America, Europe and Asia, Safe-T provides solutions to insurance companies, financial organizations, healthcare, universities, public safety organizations, manufacturers and technology transfer companies, enabling them to protect intellectual property, improve operational efficiency, ensure compliance and reduce IT costs. For more information, visit www.safe-t.com.

Article source: http://www.darkreading.com/perimeter/safe-t-launches-rsaccess-solution/240163942

SEATTLE, Nov. 14, 2013 /PRNewswire/ — OpenMarket (www.openmarket.com), a leading enterprise mobile engagement company, today announced support for Two-Factor Authentication (2FA) in its Mobile Engagement Platform. By utilizing the 2FA capabilities in OpenMarket’s Mobile Engagement Platform, CIOs and other IT decision-makers can leverage out-of-band authentication via mobile devices to provide secure access, consumer identity protection and fraud prevention.

Two-factor authentication has been proven to drastically reduce identity theft, phishing scams, and online fraud by requiring two forms of user authentication.
OpenMarket’s 2FA service creates a unique personal identification number (PIN), which is sent to the user via SMS. The user then enters the PIN on a website for validation before gaining access to that secured site. This service is also ideal for resetting lost passwords. These new capabilities help enterprise CIOs follow the lead of industry giants like Facebook, Google, LinkedIn and Twitter, which have already implemented SMS-based 2FA to protect user information.

As part of its mobile strategy, a leading global retailer has deployed OpenMarket’s Mobile Engagement Platform to manage a variety of customer experience use cases across different business units within their organization.
Most recently, the customer has deployed 2FA with OpenMarket to provide secure access and identity protection for its customers across ten countries, with plans for further global expansion.

“Enterprises require a level of security that will give their customers a sense of safety and trust,” said Jay Emmet, General Manager of OpenMarket. “Rather than evaluating and implementing a single point solution for each proposed mobile use case, forward-looking CIOs are turning to OpenMarket’s Mobile Engagement Platform for a holistic approach to supporting operational and engagement use cases across the entire organization.”

The OpenMarket Mobile Engagement Platform is a SaaS-based solution, allowing global enterprises to easily create and deploy mobile engagement services without provisioning expensive infrastructure. Enterprises can access the platform via a web-based GUI or directly via service APIs. The platform supports features such as personalization, scheduling, logic and decisioning, list management, user segmentation, and reporting. By using OpenMarket’s Mobile Engagement Platform, enterprises are able to mobilize operational processes, optimize internal and external communications, improve customer experiences, drive brand awareness and generate new revenue.

As an experienced mobile engagement solution provider, OpenMarket supports its Fortune 2000 enterprise customers with unique needs around data security standards, privacy policies, and industry regulations. Two-factor authentication marks the latest in OpenMarket’s existing line of security and IT-related features. OpenMarket’s security and privacy controls provide a comprehensive framework based on data protection laws, ISO 27001, GLBA and other standards.

For more information on the OpenMarket Mobile Engagement Platform, download the white paper, “Mobile Engagement for the Enterprise”:
http://www.openmarket.com/mobile-engagement-white-paper/

About OpenMarket
OpenMarket, a subsidiary of Amdocs, powers mobile business. We provide a comprehensive set of mobile solutions for enterprises to engage and transact with their customers via their mobile devices. Clients depend on OpenMarket for our superior domain expertise, global scale, demonstrated performance, and industry leading reliability. OpenMarket’s intelligent, integrated platform provides deep mobile operator connections with global network reach. For more information, visit www.openmarket.com.

About Amdocs
For 30 years, Amdocs has ensured service providers’ success and embraced their biggest challenges. To win in the connected world, service providers rely on Amdocs to simplify the customer experience, harness the data explosion, stay ahead with new services and improve operational efficiency. The global company uniquely combines a market-leading BSS, OSS and network control product portfolio with value-driven professional services and managed services operations. With revenue of $3.2 billion in fiscal 2012, Amdocs and its 20,000 employees serve customers in more than 60 countries.
Amdocs: Embrace Challenge, Experience Success.
For more information, visit Amdocs at www.amdocs.com.

Article source: http://www.darkreading.com/mobile/openmarket-introduces-support-for-two-fa/240163943

Campbell, Calif. (November 13, 2013) – Barracuda Networks, Inc. (NYSE: CUDA), a leading provider of cloud-connected security and storage solutions, today announced that the Barracuda Web Application Firewall is now available in the Amazon Web Services (AWS) Marketplace. The Barracuda Web Application Firewall brings leading web security capabilities to customers migrating applications to the AWS cloud. Barracuda will demonstrate the Barracuda Web Application Firewall on AWS in booth #1032 this week during AWS re:Invent in Las Vegas.

“As customers accelerate the migration of applications to cloud providers such as AWS, they often overlook application security requirements,” said Blair Hankins, VP Engineering, Barracuda. “The Barracuda Web Application Firewall provides robust security functionality to address threats that happen at the application layer so customers can securely move applications on to the AWS cloud.”

“Cloud computing can help organizations of all sizes around the world to gain flexibility, reliability and scalability for their applications,” said Terry Hanold, Vice President, Cloud Commerce, AWS. “We know that security is a top concern for our customers and we are pleased to work closely with Barracuda to bring their web application security to the AWS Marketplace to offer our customers more choices.”

Customers bringing their applications on to the AWS cloud need to ensure that they are secure from threats like SQL Injection, Application DDoS, and other attacks that target the application layer. Barracuda will now offer a security solution in the AWS Marketplace, offering strong application security for customers migrating applications on to the AWS cloud.

Pricing and Availability

The Barracuda Web Application Firewall in the AWS Marketplace is available today. User licenses can be purchased through traditional channels starting at list price $5,199 USD for a one-year subscription, and customers can then use that license to provision the application in AWS. For more information, please visit https://aws.amazon.com/marketplace/pp/B00G2RHT04.

Resources

To learn more about the Barracuda Web Application Firewall on AWS, please visit https://www.barracuda.com/programs/aws.

About Barracuda Networks, Inc. (NYSE: CUDA)

Barracuda provides cloud-connected security and storage solutions that simplify IT. These powerful, easy-to-use and affordable solutions are trusted by more than 150,000 organizations worldwide and are delivered in appliance, virtual appliance, cloud and hybrid deployments. Barracuda’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions that provide end-to-end network and data security. For additional information, please visit http://www.barracuda.com.

Article source: http://www.darkreading.com/perimeter/barracuda-web-application-firewall-now-i/240163944

When it was over, the Nexus 4, Samsung Galaxy S4, and the Apple iPhone could all count themselves as hacking victims.

Fortunately, this was all done in the name of research at the Mobile Pwn2Own contest at the PacSec 2013 Conference this week in Tokyo. During the past two days, the contest saw researchers use application vulnerabilities to compromise each of the devices and walk away with thousands of dollars in cash prizes.

The event was sponsored by Hewlett-Packard’s Zero Day Initiative (ZDI) as well as BlackBerry and the Google Android and Chrome security teams. Before the competition ended today, a researcher under the alias ‘Pinkie Pie’ compromised Google Chrome on both a Nexus 4 and Samsung Galaxy S4, and was awarded $50,000. The researcher’s exploit took advantage of two vulnerabilities — an integer overflow issue and a full sandbox escape.

“Similar to the exploits we saw on day one of our contest, in order for the user’s device to be successfully compromised, they would need to be enticed to visit a malicious site in order to be exposed to the malicious code,” blogs Heather Goudley, senior security content developer at HP. “Again the attack depends on first compromising the user to get them to take an action (e.g. clicking a link in an email, or an SMS or on another web page) and then compromising the device by exploiting these vulnerabilities. The final outcome would be the remote execution of code of an attacker’s choice.”

This vulnerability has been disclosed to Google, one of multiple vendors that will have to deal with patching vulnerabilities uncovered in the contest.

On Wednesday, the Keen Team of Keen Cloud Tech won $27,500 for demonstrating two exploits against Safari on an iPhone 5 that allowed them to steal a photo on iOS version 6.1.4 and capture Facebook credentials on iOS version 7.0.3. Neither of the devices were jailbroken, and both exploit demonstrations took no more than five minutes. For the exploit to work, the user would need to click on a link in an email, SMS, or Web page.

“Both of the Safari exploits leveraged memory corruption vulnerabilities which allowed them to gain access to Facebook cookies (on iOS 7.0.3) and photos stored on the device (on iOS 6.1.4),” Brian Gorenc, manager of HP’s ZDI, tells Dark Reading.

Also Wednesday, Japan’s Team MBSD of Mitsui Bussan Secure Directions won $40,000 after demonstrating exploits against several applications installed by default on the Samsung Galaxy S4. After exploiting the apps, the researchers were able to install malware on the device and steal confidential data. For the attack to work, the user must be tricked into visiting an attacker-controlled malicious website.

[The biggest security weaknesses in most Android smartphones today are the custom apps and features that come packaged with the devices, new research shows. See Custom Features Incur Security Flaws In Popular Android Smartphones.]

“The implications for this exploit are worrisome,” blogs Goudley. “While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to ‘click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop. The message here, however, is clear – mobile platforms are vulnerable to the same or very similar methods of malware distribution that plague the desktop and you would be wise to take heed.”

“One of the reasons HP’s Zero Day Initiative was excited to bring the competition to Tokyo was to get a firsthand look at the security research happening on this side of the globe,” Gorenc says. “We were lucky enough to have teams from both China and Japan compete and win this year.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/mobile-pwn2own-hacking-contest-claims-ne/240163945

ORLANDO, Fla., Nov. 13, 2013 /PRNewswire-USNewswire/ — The Cloud Security

Alliance(CSA) today announced that Bob Flores, former CTO of the Central Intelligence Agency (CIA), has been added to the program as a keynote speaker for CSA Congress 2013. During the fireside chat keynote hosted by CSA Executive Director Jim Reavis, Mr. Flores, will discuss the importance of highly resilient public clouds for the most demanding and security-sensitive organizations. He will discuss the challenges to protecting sensitive information while achieving organization agility with information technology strategies, and formally announce CSA’s latest research initiative, the Software Defined Perimeter (SDP).

“Bob has a unique perspective, coming from an ‘intelligence agency as enterprise customer’ point of view,” said Jim Reavis, Executive Director of the CSA. “We are thrilled to add him to the impressive agenda at Congress, and to be working with him on this crucial new initiative, SDP, which will provide a critical framework to secure multiple clouds, mobile computing and the Internet of Things.”

Bob Flores is the Founder and President of Applicology Incorporated, an independent consulting firm specializing in informatics and cyber security issues. Prior to starting Applicology, Bob spent 31 years at the Central Intelligence Agency where he held various positions in the Directorate of Intelligence, Directorate of Support, and the National Clandestine Service.

Toward the end of his career at the CIA, he spent three years as the CIA’s Chief Technology Officer where he was responsible for ensuring that the Agency’s technology investments matched the needs of its mission.

The CSA Congress is the industry’s premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. In addition to offering best practices and practical solutions for remaining secure in the cloud, CSA Congress will focus on emerging areas of growth and concern in cloud security, including standardization, transparency of controls, mobile computing, Big Data in the cloud and innovation.

Click to Tweet: Bob Flores, former CIA CTO to keynote on highly resilient public clouds for security-sensitive orgs @cloudsa @CSACongress Dec 4-5, Orlando.

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Article source: http://www.darkreading.com/management/bob-flores-former-cto-of-the-cia-to-keyn/240163946

Ongoing efforts to beef up the security of the Internet’s underlying protocols may have gotten a major boost, thanks to the National Security Agency (NSA).

Officials from the Internet Engineering Task Force (IETF) today said last week’s plenary meeting of the body charged with developing protocols for the Net was dominated with talk of better securing the Internet to thwart wide-scale surveillance akin to those programs leaked by former NSA contractor Edward Snowden.

“There is noticeable momentum,” said Stephen Farrell, IETF Security Area Director, today in a press briefing on last week’s IETF 88 Plenary in Vancouver.

Among some of the IETF security efforts that could see the light of day relatively soon is work on guidance for easily “turning on” encryption between email servers. Farrell says email providers already are looking at this, and the hope is they will roll it out “in a matter of months.”

“Clearly, there’s a very long-term question: With a lot of technology things you can do, there remains an adversary willing to spend a lot of effort and money and [who] will still be able to extract metadata from various protocols,” Farrell said. “But we can make it significantly harder to launch the pervasive attacks we’ve been seeing.”

New IETF protocols don’t get written or adopted overnight, however. The voluntary, open committee process for proposing and ultimately releasing a protocol specification can take years, even for some of the most straightforward technologies. Security is even tougher. “None of the solutions in securing the Internet is necessarily easy,” noted IETF chair Jari Arkko. “You need backward compatibility, interoperability among different parties, and different components.”

The Snowden leaks helped spur an about-face by the IETF in its work on the next-generation Web protocol, HTTP 2.0. In March 2012, the HTTPbis Working Group charged with the HTTP 2.0 work decided against encryption by default using the Transport Layer Security protocol. The working group has since decided to rethink that in the wake of the NSA Internet surveillance revelations.

Also on the table is work on securing the transport protocols underlying the Net. One notable effort is a proposed protocol for adding encryption directly to the TCP protocol itself. There’s also a working group forming to cover security in application-layer protocols, including instant messaging, for example.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/authentication/nsa-leaks-bolster-ietf-work-on-internet/240163948