‘Crypto Anchors’ Might Stop the Next Equifax-Style Megabreach


Firewalls, intrusion detection systems, and even encryption haven’t kept hackers out of hoards of data like the ones stolen in the catastrophic breaches of Equifax or Yahoo. But now, some Silicon Valley firms are trying a deeper approach, building security into the basic design of how data moves between a company’s servers. The method aims not to seal intruders out of sensitive systems, but to tighten the rim of the cookie jar around their wrist, trapping their grabby hands inside.

In a blog post Tuesday, security engineer Diogo Mónica put a name to an IT architecture idea that’s been technically possible for years, but only more recently adopted in firms that actually need to safeguard troves of sensitive user data: “Crypto Anchors.” The system, which Mónica and his colleague Nathan McCauley put into place at the payment firm Square before moving to enterprise software firm Docker in 2015, encrypts the contents of databases with a key that’s stored on a separate, single-purpose, hardened computer known as a Hardware Security Module, or HSM. When another computer in the company’s network tries to access a database’s records—whether it’s an innocent query from an employee’s PC, or a hacked web server hijacked by intruders to suck out a cache of secrets en masse—that HSM acts as a strict gatekeeper, decrypting each of those records one by one.

While that setup adds only some hundredths of a second to each request, companies can also set the HSM to throttle its decryptions, so that the data can’t be unscrambled faster than a certain set rate. That means even if the hackers have taken over a computer on a corporate network that has access to that target database, they can’t simply siphon out its data and leave. They remain “anchored” inside the network, painstakingly waiting for the HSM to decrypt each bit of data. And that can transform a rip-and-run attack lasting only hours or days into one that can take months or years—time during which the hackers must remain active on a victim’s network, and vulnerable to being detected and stopped.

“The core concept is to ensure that your data is not only encrypted, but that the only way it can be decrypted or accessed or operated on is physically in your data center,” says Mónica. “If someone compromises my database, if it gets leaked, it’s not useful unless they’re in my network, connecting to my system to parse the data.”

Slow Your Roll

To see how that safeguard would function in practice, look no further than the case of Equifax, which admitted to the loss of 143 million—now more than 145 million—Americans’ data last month. That breach, like so many others, likely started with the hijacking of an online web portal. Mónica points out that sort of compromised front-end web server is often used to query an underlying database and pull out data that shouldn’t be accessible—data like, say, half of all Americans’ Social Security numbers.

‘You make them play on your turf, so you see them coming.’

Haroon Meer, Thinkst

Traditional encryption offers little defense against that sort of attack, Mónica argues. For the database to be usable in real-time, the web server has to possess the secret key to decrypt the data, so hackers who compromise the web server would have it, too. Cryptographic hashing, which irreversibly converts data to strings of scrambled characters, wouldn’t necessarily be much help, either; hashed secrets can often by stolen and then slowly cracked over time, particularly if companies use weak hashing methods. And since there are fewer than a billion possible Social Security numbers, the hackers could simply steal all the hashes, and then later generate hashes of all of them and match up the results with the hashes they’d stolen to decode the enciphered numbers.

But a system that uses a crypto anchor setup could add another safeguard to those hashing or encryption schemes: Instead, it would encrypt each social security number with a secret key that’s stored only in the HSM. Even if it were set to allow a million queries a day from Equifax customers, for example, any hackers who compromised that web server would be limited to that rate too, requiring them to linger inside the network well over six months to gather the whole collection of Equifax’s data. It would take far longer if the HSM’s rate-limiting were set close to the web portal’s rate of legitimate use by customers.

That sort of structural change in favor of defenders—not merely bolting on security hurdles, but developing it deep in systems’ architecture—makes ideas like crypto anchoring more appealing than adding yet another commercial security service, says Haroon Meer, the founder of security firm Thinkst. “I’m not saying this will make you infallible forever, but you make them play on your turf, so you see them coming,” he says. “That’s the sort of advantage defenders need.”

Practical Applications

While the crypto anchor setup is hardly widespread, it’s already being used in some form by at least a few top-tier security teams at tech firms. Aside from the implementation he helped create at Square, Mónica says he’s learned in private conversations with Facebook and Uber engineers that they’ve implemented something similar. “Every security-engineering team that’s really good is using some form of this,” he says.

HSM sellers like Gemalto and Thales have made the implementation technically possible for years, and cloud versions of HSMs exist now, too, like Amazon’s CloudHSM and Microsoft’s Azure Key Vault. Johns Hopkins University cryptographer Matthew Green says he’s consulted for multiple major tech firms working on a version of the setup. “It’s old hat in the sense that people who design security systems know you can do these things,” Green says. “It’s new in the sense that very few people actually do them…Seeing them percolate up to the top now is really neat.”

Of course, crypto anchors alone are no panacea. They don’t, after all, actually stop hackers from stealing data, only slow them down and give defenders a chance to detect them and limit the damage. That means all the other tools, from intrusion-detection systems to antivirus to incident response, aren’t going away. But a network architecture that inherently limits how fast data can be decrypted and removed from the network could allow those tools to do their job far more effectively, Mónica argues.

Would crypto anchors have stopped the Equifax attack? Mónica says he can’t be sure—exact details of how the attack occurred are still hazy—but he believes they would have certainly impeded it. “It would have definitely helped with detection and understanding exactly what was accessed and compromised,” he says. “It would have slowed down the attacker. Maybe it wouldn’t have been 145 million records. Maybe it would have been less. Or maybe it would have been nothing.”


Source link

‘I Feel Very Bad for Him – Everyone Needs to Stop’ – Variety


Lindsay Lohan took to Instagram on Tuesday evening to defend embattled producer Harvey Weinstein, who is accused sexually assaulting and harassing several women over the past few decades.

“I feel very bad for Harvey Weinstein right now,” she said in the Instagram story, taken from her home in Dubai. “I don’t think it’s right what’s going on.”

Lohan also said that Weinstein’s wife, Georgina Chapman, who intends on filing for divorce, needs to “take a stand and be there for her husband.”

She later deleted the bizarre messages.

Weinstein, who was the subject of a second bombshell report on Tuesday, is reportedly on his way to Europe for treatment after being accused of harassing several actresses, including Angelina Jolie and Gwyneth Paltrow.

Lohan added of Weinstein: “He’s never harmed me or did anything to me – we’ve done several movies together.I think everyone needs to stop – I think it’s wrong. So stand up.”

Video of the statement was captured and posted by DailyMail.com. Watch below.


Source link

How Do I Stop My Divorce? – Successful Marriage Tips and Advice on How to Heal Your Broken Marriage


In today's world of stress and hard relationships, getting advice and successful marriage tips can be your answer to the question of 'how do I stop my divorce?'

Many people stay so busy trying to work and take care of kids, that they lose sight of many of the things that they need for their relationship to truly flourish and grow. Without taking the time for each other and being active in helping each other cope, then tensions rise and the relationship suffers.

If you have ever asked 'how do I stop my divorce', then you've probably already experienced this. What you're in need of now, are some good successful marriage tips. By always taking the time to let your mate know how much you appreciate them, it goes a long way toward making the effort and pain of daily life worth it.

It's important to feel needed, but not to be so needy that you exhaust your partner. Always make it a team effort in all you tackle. Respect one others' feelings and opinions, even if you do not agree with them.

There are books, magazines, websites, and television stations, that offer successful marriage tips on a daily basis. If you want to know, 'how do I stop my divorce', then you have to take the time to step back, look at the situation, and accept some advice from people who have been there, and from people who have been trained in these areas. Swallow your pride, be willing to do whatever it takes to save your marriage, and it will grow to be stronger than before.


Source by Meredith Glee

Stop What You’re Doing And Look At Alicia Vikander’s Muscles In The Tomb Raider Trailer


How many hang cleans do I have to do on a daily basis to look like Alicia Vikander in Tomb Raider? Probably more than I am willing to do, but that is why I’m not starring as Lara Croft in Tomb Raider.

The first trailer for director Roar Uthaug’s Tomb Raider reboot, starring Vikander as a younger, more inexperienced Lara Croft, just dropped, and honestly, I can’t stop thinking about Vikander’s back muscles. I’m pretty sure that for the physical demands of Tomb Raider Vikander reached a level of physical fitness where she grew newer, stronger muscles on top of her old muscles. She has muscles on muscles — and they glisten like the sun!!!

Tomb Raider, based on the 2013 video game reboot, follows Lara Croft, now a 21-year-old bike courier who can barely afford to pay her rent, as she gets pulled into the years-long mystery surrounding her famous father’s disappearance. Personally, I’ve never met a bike courier who has upper body muscles like that (typically, they’re quad dominant), but I guess we’re supposed to assume that adventuring and fast metabolisms run in the Croft family.

Tomb Raider, also starring Dominic West, Walton Goggins, Daniel Wu, and Kristin Scott Thomas, leaps into theaters March 16, 2018.


Source link

Sierra Leone mudslides: UK team races to stop disease


Relief effort team from the World Health OrganizationImage copyright
World Health Organization

Image caption

The relief team visits the site of the fatal mudslide

As families desperately clawed through red earth and debris that had buried their communities within just a few hours, another fear was already taking hold.

Gushing muddy waters had poured into poor communities, killing at least 500 people, leaving many more homeless and wrecking what were already very basic water and sanitation systems.

Although tragedy has already struck, things could get a lot worse.

“The floods and landslides have caused damage to water and sanitation systems in affected areas thus resulting in contamination of open water sources, and also created possible breeding sites for vectors like mosquitoes,” World Health Organization Sierra Leone officer in charge, Dr Alexander Chimbaru, said.

Large displaced populations, limited clean water supplies and no or unhygienic places to go to the toilet, all create the perfect conditions for deadly diseases to spread fast.

Within four days of the disaster, the Sierra Leonean government had called on the new UK Public Health Rapid Support Team (UK-PHRST) to deploy to Freetown and help them prevent a major outbreak of disease.

Image copyright

Image caption

A soldier surveys the carnage

The team is made up of top experts, who commit to jumping on a plane within hours of a disaster anywhere in the world.

It was created in response to the world’s tardy reaction to the Ebola outbreak in West Africa.

Little did the team know that one of its first deployments would be back to one of the worst Ebola-hit countries.

“We got the call on 18 August, and I was on a plane within three days,” said epidemiologist Maria Saavedra-Campos.

“It’s unfortunate we need to come back again in these circumstances. But it’s clear how resilient Sierra Leoneans are.”

Stalking deadly diseases

The UK team consists of:

  • two epidemiologists, who track diseases
  • two microbiologists, who can diagnose the cause of outbreaks
  • a logistician to coordinate the nuts and bolts of the project

Their job – in short – is to help local governments stop major outbreaks before they start.

“We are part of an additional level of surveillance of disease that the government put in place after this disaster struck. We do active case finding” said Ms Saavedra-Campos.

“We are looking for what we call ‘epidemic prone’ diseases, such as cholera, measles, malaria and typhoid.”

Image copyright

Image caption

Many have died in tragedy

Every day, the team goes into community health centres in and around the worst affected areas and helps local health workers to build the systems needed to gather detailed information about illnesses in local areas.

For example, how many people reported having diarrhoea or a fever in the community that day, what medication or other intervention were they given.

Gathering this information on a daily basis helps build a better picture of whether there may be small clusters of disease that could be the beginnings of a major outbreak.

The idea is any potential epidemic is picked up super-early, so it can be stamped out before it spirals into a national or even international emergency.

“Many of these health workers have themselves lost loved ones in the mudslides,” said Ms Saavedra-Campos.

“It is a difficult situation, and we are asking them to report every morning while some of them are still grieving. “

“We try to make it easy as possible by visiting them often and having a presence.

“Government teams and NGOs [non-governmental organisations] also do similar visits.”

Preventing an emergency

The World Health Organization says the loss of life in Sierra Leone has been devastating, both after Ebola and this recent disaster, and the recovery will again take time.

Image caption

Maria Saavedra-Campos is assessing the best way forward

“This was an unanticipated tragedy which resulted in sudden loss of life and property and is hugely traumatic,” said Dr Alexander Chimbaru.

“People here are incredibly brave and resilient, but we should not underestimate the effects an incident like this can have on people’s mental health and wellbeing.”

UK-PHRST is funded by the British government, which believes getting involved in such relief efforts abroad is money well spent.

“Diseases can spread rapidly around the world,” said Ms Saavedra-Campos.

“We can travel to the other side of the globe in less than a day, diseases don’t care about borders – we’ve seen that here in Sierra Leone with Ebola.

“If we can detect diseases early and tackle them at source, they won’t spread to neighbouring countries or internationally – including to the UK.”

UK Public Health Rapid Support Team:

  • public health experts, scientists, academics and clinicians on standby at all times
  • ready to deploy anywhere in the world within 48 hours
  • jointly run by Public Health England and London School of Hygiene & Tropical Medicine
  • can be deployed by the UK government after a request from low- and middle-income countries
  • £20m made available by UK government to fund this initiative over five years


Source link