News Stay informed about the latest enterprise technology news and product updates.

DOJ's 'responsible encryption' is the new 'going dark'

News roundup: The DOJ calls for 'responsible encryption' to comply with court orders. Plus, there's more bad cybersecurity news for banks, and Accenture data in AWS gets exposed.

Calling on tech companies that offer encrypted services to deploy those services using "responsible encryption,"...

Deputy Attorney General Rod Rosenstein picked up the anti-encryption baton from former FBI Director James Comey.

Rosenstein's comments at the United States Naval Academy Tuesday echoed Comey's position on the use of encryption by criminals and others to evade law enforcement or national security agencies. In an attempt to rebrand the debate around "going dark," Rosenstein urged tech companies to deploy what he called "responsible encryption," or encryption that can be bypassed by the tech company in order to provide law enforcement agencies access to encrypted data subject to a court order.

"Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization," Rosenstein said, adding that it was not necessary for the government to mandate any particular key management or escrow service, but rather for individual companies to deploy encryption or encrypted services in a way that supports a "lawful access" to encrypted data on demand by law enforcement or national security agencies.

"Look, it's real simple. Encryption is good for our national security; it's good for our economy. We should be strengthening encryption, not weakening it. And it's technically impossible to have strong encryption with any kind of backdoor," said Rep. Will Hurd (R-Texas), when asked about Rosenstein's proposal for responsible encryption at The Atlantic's Cyber Frontier event in Washington, D.C.

"This is a conversation we're going to be involved in forever," Hurd said. "You can protect our digital infrastructure, chase bad guys and protect our civil liberties all at the same time. It's hard, but we can do it. And our civil liberties are not burdens -- they're the things that make our country great. So, you can call it whatever you want, but make sure you have strong encryption."

Look, it's real simple. Encryption is good for our national security; it's good for our economy. We should be strengthening encryption, not weakening it.
Rep. Will Hurd(R-Texas)

Unlike previous calls from the Department of Justice to curb secure, end-to-end encryption and put government-accessible backdoors on all data, Rosenstein suggested tech companies that offer encrypted communications services incorporate the ability to access encrypted data in response to court orders.

Rosenstein concluded by saying, "There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully informed decision."

In other news

  • The latest company to accidentally expose data in an Amazon Web Services Simple Storage Service bucket is Accenture, a global management consulting and professional services giant -- and cloud service provider. Chris Vickery, cyber-risk analyst for UpGuard Inc., a cybersecurity company based in Mountain View, Calif., reported the exposure in a blog post. "Accenture, one of the world's largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients," Vickery wrote. "The servers' contents appear to be the software for the corporation's enterprise cloud offering, Accenture Cloud Platform, a 'multi-cloud management platform' used by Accenture’s customers, which 'include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500' -- raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients."
  • The Federal Deposit Insurance Corporation (FDIC) suffered as many as 54 data breaches of personal information from the start of 2015 to the end of 2016, according to an audit by the FDIC Office of Inspector General (OIG). The FDIC, a government agency formed in the wake of the Great Depression to protect bank customers, insures all deposits at participating banks up to at least $250,000. To accomplish its mission, the FDIC collects large amounts of data, including personally identifiable information about bank customers. Writing in the audit report, which included in-depth reviews of some of the reported FDIC data breaches, the FDIC OIG "initiated this audit in response to concerns raised by the Chairman of the Senate Committee on Banking, Housing, and Urban Affairs regarding a series of data breaches reported by the FDIC in late 2015 and early 2016. Many of these data breaches involved PII."
  • Trustwave's SpiderLabs researchers reported a sophisticated hybrid cyberattack against banks netted thieves as much as $40 million. According to the report, the scam involved people opening bank accounts, while also breaking into the banks' computer systems to manipulate overdraft limits on those accounts, and then having other people withdraw large amounts from ATMs abroad. While the attacks described in the SpiderLabs report were mostly against banks in post-Soviet states, the researchers warned the techniques would spread. "Currently, the attacks are localized to the Eastern European and Russian regions. However, in cybercrime, this area is often the canary in the mineshaft for upcoming threats to other parts of the world." SpiderLabs warned: "All global financial institutions should consider this threat seriously and take steps to mitigate it."
  • Rapid7 reported a SQL injection vulnerability in the SmartVista end-to-end banking payment software offered by Switzerland-based BPC Banking Technologies. Rapid7 first notified BPC of the vulnerability in May and, after receiving no response from BPC, notified the U.S. CERT Coordination Center in July. Rapid7 recommended SmartVista users contact BPC support directly for assistance, but in the meantime, users should limit as much as possible access to the SmartVista management interface. The security vendor also recommended performing regular audits of successful and failed logins and using web application firewalls to prevention attacks using SQL injection.

Next Steps

Learn why security and privacy experts were wary about changes to Rule 41.

Read how the conflict between Apple and the FBI could affect enterprise mobility management.

Understand the roots of the FBI's "going dark" controversy.

Dig Deeper on Information security laws, investigations and ethics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Should technology companies explore options for responsible encryption? Why or why not?
Cancel
No, This idea as been tried before in another country and the idea failed. Plus sometimes our own government is why we need encryption as we all know that most parts of our government cannot be trusted I mean look who we have in office now, need I say more. Anyway back to the example, as stated this has already been tried and the backdoor was found and the method to get through the encryption was sold leaving those systems exposed. It has been proven the only valueableencryption are the ones that are strong with absolutely no backdoors.
Cancel
There is no such thing as unhackable encryption. Encryption of storage or data to be transmitted should be done by blocks of a certain size. Encryption keys for each block should come from a large codebook. Data is encrypted using a key from a book. Eg. chapter, page, line, algorithm. What is transmitted separately is 4 digits. One digit to identify the "algorithm of the day or transmission" and three digits to select the decryption key from a code-book.

There codebook entry can be randomly selected.

The algorithm can be from one of AES, Threefish, quantum, etc. The algorithm itself could be also selected according to the quadtuple number. 

The same file, transmitted a second time would have a different encryption key, and a different enryption result.

Within a database, pages of data  can be differently encrypted.
The codebook can be stored within a TPM chip (Trusted Platform Module). A password would be required to access the codebook, with three strikes (false access attempts) resulting in a locked up TPM.

For example.
An encryption key should come from a selection of several million keys.  A 100 gig database could be encrypted with 100 different keys from some encryption algorithm associated with the gig of data..
Even with the above, and with newer technology, faster hardware and human error will eventually discover access to the TPM.

The above is close to the one time pass encryption technique, yet far from perfect.

By the way, something similar is currently in use at a financial institution.
Cancel
"There is no such thing as unhackable encryption." This is even more of a reason not to have any backdoors in encryption. The fact is governments no matter what country cannot be trusted. Encryptions are what are use by reporters to send information on a story privately. These reporters are how we keep our government in check by releasing news of the corruption of these agencies. Without encryption for security our government would be doing more dirtythings than they do now. Encryption also protects people's identities meaning private information suchas SSN's, banking info ect. I'm not interested in making a backdoor or interested in having gatekeepers as it is proven the gatekeepers with eventually leak the key. I want stronger encryption against everyone, mainly the criminals in our government and the criminals that governments put away thinking they are better than the trash they put away.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close