Strong Encryption, Natural Language Search Make Potent Cocktail

Strong encryption and natural language search can be like oil and water. That's because encrypted data can't be digested by your typical search engine. However, Cipher Cloud announced a solution to that knotty problem last week.

The latest version of the 3-year-old company's cloud-based service includes something it's calling "searchable strong encryption." It allows data encrypted with the strong AES 256-bit standard to be searched within popular cloud applications such as Salesforce.com, Box, Microsoft Office 365, Google Gmail and Amazon Web Services.

"Encryption can break an application," Pravin Kothari, founder, chairman and CEO of CipherCloud, told TechNewsWorld. "It can make an application useless."

Through the use of a gateway between an organization and its encrypted data in the cloud, CipherCloud allows applications to work with the encrypted data as if were plain text.

"If you looked into the cloud application, what you would see is gibberish -- but using our gateway architecture, we can allow all popular operations, like search, and give a user the full usability of the application," Kothari explained.

"Customers had to previously choose between protection of their data and usability of an application," CipherCloud SVP and Chief Marketing Officer Paige Leidig told TechNewsWorld. "With our new product, they can get the best of both worlds -- highest security of their data and full searchability and sortability of the data."

Better Vectors

With SSE, CipherCloud has improved how it deploys AES 256. In prior versions of the solution, it used limited initialization vectors. Those vectors are used to randomize encrypted or ciphertext. So depending on the vector of your starting point for encrypting a block of data, the word "John" might be 6324 in one block and 7745 in another. That makes it difficult for codebreakers to correlate the ciphertext to its plaintext analog.

The problem with limiting your initialization vectors is that it makes a codecracker's job easier, because there's a finite set of points that need to be identified. CipherCloud has now made things much more difficult for crackers, by allowing its users to encrypt their data with unlimited initialization vectors.

In light of recent revelations about the NSA tampering with encryption standards, it's questionable whether any standard is trustworthy.

"People are concerned about everything, but AES in any of its sizes is pretty low on the list," Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University, told TechNewsWorld.

"AES was developed in an international competition by Belgian cryptographers. It has been really well analyzed by the security community, and it has a good design," Green added.

Whistleblower Schizophrenia

The Freedom of the Press Foundation announced last week that it would be soldiering on with technology developed by the late Aaron Swartz to give whistleblowers safe online places to drop leaked documents to news outlets and maintain their anonymity.

The technology, called "SecureDrop," has become more important than ever because of the Obama's administration's tough attitude toward people leaking state secrets.

"This is coming about because of the Obama White House's really unhealthy obsession with leaks," Dan Kennedy, and assistant professor of journalism at Northeastern University, told TechNewsWorld.

"If the Obama administration weren't going after leakers and the journalists who they leak to as vigorously and inappropriately as they are, then you wouldn't need something like this," he maintained.

There are some inconsistencies in the administration's attitude toward whistleblowers, though.

"It's worse than all other administrations in terms of national security whistleblowing," Louis Clark, president of the Government Accountability Project, told TechNewsWorld.

"I think it's the best administration in terms of corporate whistleblowers," he continued. "So it's a schizophrenic administration."

In the current agency climate technologies like SecureDrop have become a necessity for whistleblowers, Clark noted.

"The treatment of whistleblowers has angered some people in the national security agencies," he said. "Whistleblowers feel like they have nowhere to go in their agencies, and when that happens, there's no place they can go except for the public if they want to raise their concerns."

Breach Diary

• Oct. 12. Craig Heffner, a researcher with Tactical Network Solutions, finds vulnerability in firmware code for several D-Link router models. Flaw can be exploited by attacker to redirect traffic at the router for malicious purposes.
• Oct. 14. Digital rights group Bits of Freedom releases a Dutch government report obtained under a freedom of information request revealing some Dutch telecommunications and Internet providers inappropriately used for marketing purposes information they were required to retain for crime-fighting purposes.
•  
• Oct. 14. Germany's largest phone company, Deutsche Telecom, proposes to German government that all email and data traffic be routed within the country to curtail spying on its citizens by foreign nations.
• Oct. 15. The Payment Association of South Africa reveals that malware infecting point-of-sale terminals at a number of fast food chains has resulted in the loss to the country's banks of tens of millions of Rand. Ten Rand equal about US$1.00. The association notes an "unauthorized international organization" was behind the attack.
• Oct. 15. Kathleen Haskins claims in California court filing that Symantec mislead consumers by claiming its antivirus software would protect them from malware infections. Haskins alleges Symantec knew its software was compromised but failed to tell consumers about it.
• Oct. 15. California appellate court rules healthcare providers are not liable to patients for medical records misappropriated or stolen unless the data is accessed by a third party. The decision came in a case where a laptop containing medical information on some 16,000 patients of UCLA Health was stolen from a physician, but no evidence could be found that the data was ever accessed by a third party.
• Oct. 16. PR Newswire confirms hackers broke into its networks earlier this year and stole an unspecified number of user names and encrypted passwords. The attack has been attributed to the same group of cybercriminals who breached LexisNexis, NW3C and Adobe.
• Oct. 16. St. Louis Business Journal reports lawsuit by Liberty Mutual Insurance Co. against Schnuck Markets has been terminated. Liberty Mutual filed the lawsuit in August to avoid its liability in data breach at Schnuck that affected an estimated 2.4 million credit card accounts.
• Oct. 17. Oracle releases monster security patch for several of its products. Of the 127 patches pushed to Oracle users, 51 of them were for Java SE.

Upcoming Security Events

• Oct. 23. Policy First! Critical Role Policy Plays in Making Organization More Secure. 11-11:45 a.m. ET. Webinar sponsored by CyberArk. Free with registration.
• Oct. 28. SCADA and Me: Security Basics for Children and Managers. Noon ET. Live Web event, Free.
• Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros + VAT delegate/495 euros + VAT one-day pass; Discount from July 27-Sept. 27, 995 euros + VAT delgate/595 euros + VAT one-day pass; Standard from Sept. 27-Oct.27, 1,095 euros + VAT delegate/695 euros + VAT one-day pass; On site from Oct. 28-31, 1,295 euros + VAT.
• Oct. 29. The Economics of Cyber Crime. 11 a.m. ET. Webinar sponsored by Dark Reading. Free with registration.
• Nov. 6. FedCyber.com Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, $100; industry, $599.
• Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
• Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
• Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. "The Art of Exploiting Injection Flaws," $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. "The Black Art of Malware Analysis," $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. "CNSS-4016-I Risk Analysis Course," $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
• Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
• Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.