Written by Dave Nyczepir
Jul 11, 2022 | FEDSCOOP

The Department of Homeland Security Science & Technology Directorate wants to encourage tech companies to develop automated software bill of materials tools offering more visibility into supply chains.

DHS S&T‘s Silicon Valley Innovation Program issued a five-year other transaction solicitation call for foundational open-source software libraries and other tools increasing the availability of trustworthy software bills of materials (SBOMs), machine-readable inventories of components and how they relate.

Many federal contractors hope SBOMs become the standard for proving government-mandated compliance with the Secure Software Development Framework. But multiple data formats exist, prompting the Cybersecurity and Infrastructure Security Agency to seek translation tools and automated SBOM generators that plug into build systems.

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms,” said Allan Friedman, senior advisor and strategist at CISA, in a statement. “By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster and more efficiently.”

SVIP issued the call on behalf of CISA for tools that will help secure essential communications, finance, transportation and energy services.

Other capabilities CISA is interested in are those that:

• visualize SBOM data on provenance and risk;
• plug into integrated development environment tools to highlight software dependencies, warn of vulnerabilities and provide mitigations; and
• use software identifiers to help system administrators using security incident and event management tools pinpoint and prioritize threats to the operational environment.

SVIP runs four phases with an optional fifth for further testing around new operational environments and use cases. Applicants will be submitting Phase 1 applications for $50,000 to $200,000 in funding to produce a minimum viable product (MVP) within three to nine months.

MVPs may be chosen to move to Phase 2: prototype development.

The deadline for Phase 1 applications is 3 p.m. ET, Oct. 3.

A virtual industry day will be held starting at 12:30 p.m. ET, July 14 for developers and vendors to ask questions about the solicitation and operational needs.

“DHS is committed to working with industry to develop tools and technologies that provide visibility into the software supply chain,” said Melissa Oh, managing director of SVIP, in a statement. “This topic call highlights core capabilities that will help bring transparency into the digital building blocks used by organizations in both their business operations and in their cyber defenses.”

DHS’ request for automated tools to help manage supply chain risk comes after the Department of Justice’s Office of Inspector General last week published details of a study in which it found that just two sub-agencies adhered to supply chain risk guidelines over the last six years.

Supply chain risk within federal agencies’ IT procurement processes has received enhanced scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across government and the private sector.

Article link: https://www.fedscoop.com/dhs-seeks-sbom-tools/

-In this Story- 

Allan Friedman, Cybersecurity and Infrastructure Security Agency (CISA), DHS S&T, Melissa Oh, Science and Technology Directorate, Secure Software Development Framework (SSDF), Silicon Valley Innovation Program (SVIP), software bill of materials (SBOM), supply chain

More data and applications are moving to the cloud, which creates unique infosecurity challenges. Here are the “Pandemic 11,” the top security threats organizations face when using cloud services.

By John P. Mello Jr.

Contributor, CSO Online

JUL 4, 2022 2:00 AM PT

Identity and access issues topped the list of concerns of IT pros in the Cloud Security Alliance’s annual Top Threats to Cloud Computing: The Pandemic 11 report released earlier this month. “Data breaches and data loss were the top concerns last year,” says CSA Global Vice President of Research John Yeoh. “This year, they weren’t even in the top 11.”

“What that tells me is the cloud customer is getting a lot smarter,” Yeoh continues. “They’re getting away from worrying about end results—a data breach or loss is an end result—and looking at the causes of those results (data access, misconfigurations, insecure applications) and taking control of them.”

That trend is indicative of cloud service providers (CSPs) doing a better job of upholding their end of the shared responsibility model, where the CSP is responsible for protecting its infrastructure while the cloud user is on the hook for protecting the data, applications, and access in their cloud environments, says Corey O’Connor, director of products at DoControl, a provider of automated SaaS security. “This puts more pressure on the organization consuming the service, as attackers naturally place a much bigger focus on them,” he says. “This finding supports the narrative of organizations consuming cloud services needing to do everything they can to mitigate the risk of security events and data breaches. They need to do more to uphold their end of the model.”

CSA’s top cloud security threats

Here are the Pandemic 11 in order of importance.

1. Insufficient identity, credential, access and key management

Concerns about identity and access are foremost in the minds of cybersecurity pros, according to the CSA report. “Access is at the top of the list this year because protecting your data starts and ends with access,” says Yeoh.

Forrester Vice President and Principal Analyst Andras Cser agreed. “Identity and access in a CSP’s platforms are everything,” he says. “If you have the keys to the kingdom, you can’t just enter it but reconfigure it—a major threat to operational stability and security of any organization.”

“Attackers no longer try to brute-force their way into enterprise infrastructure,” adds Hank Schless, a senior manager for security solutions at Lookout, a provider of mobile phishing solutions. “With so many ways to compromise and steal corporate credentials, the preferred tactic is to pose as a legitimate user in order to avoid detection.”

As more organizations migrate their applications to the cloud, identity management continues to be a hot button issue, asserts Tushar Tambay, vice president of product development for data protection solutions at Entrust, a digital security and credential issuance company. “With many companies still working remotely as well, IT teams have to verify the identities of employees working from anywhere at any time on any device,” he says. “Additionally, businesses are engaging with customers and partners in the cloud.”

Tambay adds that key management needs to be prioritized, too. “Strong key management can keep data secure and help ensure that trusted parties only have access to data that is absolutely necessary,” he says. “Unfortunately, securing data through encryption can often cause a bit of a key management headache due to the growing number of keys.”

Identity management is almost entirely on the user to manage properly, says Daniel Kennedy, research director for information security and networking at 451 Research. “The cloud providers provide help, but the flexibility of cloud platforms come with a requirement to effectively manage user and system access and privileges,” he says. “It’s one of the primary responsibilities of the enterprise leveraging cloud in a shared responsibility model, and thus figures prominently in their assessment of risk.”

Key takeaways about access and identity management identified in the report include:

• Hardened defenses at the core of enterprise architectures have shifted hacking to endpoint user identity as low-hanging fruit.
• Discrete user and application-based isolation is required to achieve a robust zero trust-layer beyond simple authentication.
• Advanced tools are only part of the story, such as cloud infrastructure entitlement management (CIEM). Operational policies and structured risk models are also vital.
• Trust is more than giving keys and codes. It’s earned. User objects must be given risk scores that dynamically adjust as the business requires.

2. Insecure interfaces and APIs

APIs and similar interfaces potentially include vulnerabilities due to misconfiguration, coding vulnerabilities, or a lack of authentication and authorization among other things, the report stated. These oversights can potentially leave them vulnerable to malicious activity.

It added that organizations face a challenging task in managing and securing APIs. For example, the velocity of cloud development is greatly accelerated. Processes that took days or weeks using traditional methods can be completed in seconds or minutes in the cloud. Using multiple cloud providers also adds complexity, it continues, as each provider has unique capabilities that are enhanced and expanded almost daily. This dynamic environment requires an agile and proactive approach to change control and remediation that many companies have not mastered.

Key takeaways about APIs include:

• The attack surface provided by APIs should be tracked, configured, and secured.
• Traditional controls and change management policies and approaches need to be updated to keep pace with cloud-based API growth and change.
• Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real time.

3. Misconfiguration and inadequate change control

Misconfigurations are the incorrect or sub-optimal setup of computing assets that may leave them vulnerable to unintended damage or external and internal malicious activity, the report explained. Lack of system knowledge or understanding of security settings and nefarious intentions can result in misconfigurations.

A serious problem with misconfiguration errors is they can be magnified by the cloud. “One of the biggest advantages of the cloud is its scalability and the way it enables us to create interconnected services for smoother workflows,” Schless says. “However, this also means that one misconfiguration can have magnified ramifications across multiple systems.”

Due to an automated continuous integration/continuous deliver (CI/CD) pipeline, misconfigurations and vulnerabilities not identified during build time are automatically deployed to production, says Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes and the cloud. “Misconfigurations and vulnerabilities in images are passed on to all containers created from those images.”

Key takeaways about misconfiguration and inadequate change control include:

1. Companies need to embrace available technologies that scan continuously for misconfigured resources to allow remediation of vulnerabilities in real-time.
2. Change management approaches must reflect the unceasing and dynamic nature of continuous business transformations and security challenges to ensure approved changes are made properly using real-time automated verification.

4. Lack of cloud security architecture and strategy

The fast pace of change and the prevalent, decentralized, self-service approach to cloud infrastructure administration hinder the ability to account for technical and business considerations and conscious design the report notes. However, it added, security considerations and risks must not be ignored if cloud endeavors are to be successful and safe.

Those problems can be compounded when multiple cloud providers are involved. “Leveraging cloud providers is certainly no longer novel, but the security product space continues to emerge and evolve around the cloud,” Kennedy says. “As examples, early on we saw cloud workload security emerge as an approach to provide common third-party security functions.”

“Most security folks looking after cloud security must consider what mix of default controls from the cloud provider, premium controls from the same, and what third-party security product offerings address their specific risk profile, and sometimes that profile is different at the application level. It introduces a lot of complexity in the face of emerging threats,” Kennedy adds.

Key takeaways about the lack of cloud security architecture and strategy include:

• Companies should consider business objectives, risk, security threats, and legal compliance in cloud services and infrastructure design and decisions.
• Given the rapid pace of change and limited centralized control in cloud deployments, it’s more important, not less, to develop and adhere to an infrastructure strategy and design principles.
• Adopters are advised to consider due diligence and vendor security assessment foundational practices. They should be complemented with secure design and integration to avoid the kinds of systemic failures that occurred in the, SolarWinds, Kaseya and Bonobos breaches.

5. Insecure software development

While the cloud can be a powerful environment for developers, organizations need to make sure developers understand how the shared responsibility model affects the security of their software. For example, a vulnerability in Kubernetes could be the responsibility of a CSP, while an error in a web application using cloud-native technologies could be the responsibility of the developer to fix.

Key takeaways to keep in mind about insecure software development include:

• Using cloud technologies prevents reinventing existing solutions, allowing developers to focus on issues unique to the business.
• By leveraging shared responsibility, items like patching can be owned by a CSP rather than the business.
• CSPs place an importance on security and will provide guidance on how to implement services in a secure fashion.

6. Unsecure third-party resources

According to the CSA report, third-party risks exist in every product and service we consume. It noted that because a product or service is a sum of all the other products and services it’s using, an exploit can start at any point in the supply chain for the product and proliferate from there. Threat actors know they only need to compromise the weakest link in a supply chain to spread their malicious software, oftentimes using the same vehicles developers use to scale their software.

Key takeaways about unsecure third-party resources include:

• You can’t prevent vulnerabilities in code or products you didn’t create, but you can make a good decision about which product to use. Look for the products that are officially supported. Also, consider those with compliance certifications, that openly speak about their security efforts, that have a bug bounty program, and that treat their users responsibly by reporting security issues and delivering fixes quickly.
• Identify and track the third parties you are using. You don’t want to find out you’ve been using a vulnerable product only when the list of victims is published. This includes open source, SaaS products, cloud providers, and managed services, and other integrations you may have added to your application.
• Perform a periodic review of the third-party resources. If you find products you don’t need, remove them and revoke any access or permissions you may have granted them into your code repository, infrastructure or application.
• Don’t be the weakest link. Penetration-test your application, teach your developers about secure coding, and use static application security testing (SAST) and dynamic application security testing (DAST) solutions.

7. System vulnerabilities

These are flaws in a CSP that can be used to compromise confidentiality, integrity and availability of data, and disrupt service operations. Typical vulnerabilities include zero days, missing patches, vulnerable misconfiguration or default settings, and weak or default credentials that attackers can easily obtain or crack.

Key takeaways about system vulnerabilities include:

• System vulnerabilities are flaws within system components often introduced through human error, making it easier for hackers to attack your company’s cloud services.
• Post-incident response is a costly proposition. Losing company data can negatively impact your business’s bottom line in revenue and reputation.
• Security risks due to system vulnerabilities can be greatly minimized through routine vulnerability detection and patch deployment combined with rigorous IAM practices.

8. Accidental cloud data disclosure

Data exposure remains a widespread problem among cloud users, the report noted, with 55% of companies having at least one database that’s exposed to the public internet. Many of those databases have weak passwords or don’t require any authentication at all, making them easy targets for threat actors.

Key takeaways about accidental cloud data disclosure include:

• Which databases are in the clouds? Review your platform-as-a-service (PaaS) databases, storage and compute workloads hosting databases, including virtual machines (VMs), containers, and the database software installed on them.
• What is effectively exposed from the cloud environment? Choose exposure engines that have full visibility of your cloud environment to identify any routing or network services that allow traffic to be exposed externally. This includes load balancers, application load balancers, content delivery networks (CDNs), network peering, and cloud firewalls.
• Assess external exposure from a Kubernetes cluster. The exposure engine must factor in many Kubernetes networking components, including cluster IPs, Kubernetes services, and ingress rules.
• Reduce access exposure by ensuring that the database is configured to the least-privileged IAM policy, and that assignments of this policy are controlled and monitored.

9. Misconfiguration and exploitation of serverless and container workloads

Managing and scaling the infrastructure to run applications can still be challenging to developers, the report pointed out. They must take on more responsibility network and security controls for their applications.

While some of that responsibility can be offloaded to a CSP through the use of serverless and containerized workloads, for most organizations, lack of control of cloud infrastructure limits mitigation options for application security issues and the visibility of traditional security tooling. That’s why the report recommended building strong organizational practices around cloud hygiene, application security, observability, access control, and secrets management to reduce the blast radius of an attack.
Key takeaways about misconfiguration and exploitation of serverless and container workloads include:

• Companies should implement cloud security posture management (CSPM), CIEM, and cloud workload protection platforms to increase security visibility, enforce compliance, and achieve the least privilege in serverless and containerized workloads.
• Investments should be made into cloud security training, governance processes, and reusable secure cloud architecture patterns to reduce the risk and frequency of insecure cloud configurations.
• Development teams should put extra rigor around strong application security and engineering best practices before migrating to serverless technologies that remove traditional security controls.

10. Organized crime, hackers and APT groups

Advanced persistent threat (APT) groups typically focus their thieving ways at data acquisition. Those groups are closely studied by threat intelligence outfits, who publish detailed reports on the groups’ methods and tactics. The CSA report recommended organizations use those reports to stage “red team” exercises to better protect themselves from APT attacks, as well as perform threat-hunting exercises to identify the presence of any APTs on their networks.

Key takeaways from the report in the APT area include:

• Conduct a business impact analysis on your organization to understand your information assets.
• Participate in cybersecurity information sharing groups.
• Understand any relevant APT groups and their tactics, techniques and procedures (TTPs).
• Conduct offensive security exercises to simulate the TTPs of these APT groups.
• Ensure security monitoring tools are tuned to detect TTPs of any relevant APT groups.

11. Cloud Storage Data Exfiltration

Cloud storage data exfiltration occurs when sensitive, protected or confidential information is released, viewed, stolen or used by an individual outside of the organization’s operating environment. The report noted that many times data exfiltration may occur without the knowledge of the data’s owner. In some cases, the owner may not be unaware of the data’s theft until notified by the thief or until it appears for sale on the internet.

While the cloud can be a convenient place to store data, the report continued, it also offers multiple ways to exfiltrate it. To protect against exfiltration, organizations have begun turning to a zero-trust model where identity-based security controls are used to provide least privileged access to data.

Key takeaways about cloud storage exfiltration in the report include:

• Cloud storage requires a well-configured environment (SaaS security posture management [SSPM], CSPM), remediation of vulnerabilities in infrastructure as a service (IaaS), which is still a major threat vector, and strong identity and access control of both people and non-human personas.
• To detect and prevent attacks and data exfiltration, apply the CSP’s best practices guides, monitoring and detection capabilities.
• Employee awareness training on cloud storage usage is required, as data is scattered in various locations and controlled by various personas.
• Evaluate a cloud providers’ security resilience and, at minimum, security standards adherence, legal agreement, and service level agreement (SLA).
• If not limited by business, client-side encryption can provide protection from external attackers or CSP malicious insiders. Overall, encryption is not always feasible, due to implementation considerations.
• Classifying data can help in setting different controls, and if exfiltration happens, assessing the impact and recovery actions required.

Shifting focus of cloud security

The CSA report noted that its 2022 edition continued a nascent trend found in its previous version: a shift away from the traditional focus on information security, such as vulnerabilities and malware. Regardless, these security issues are a call to action for developing and enhancing cloud security awareness and configuration, and identity management. The cloud itself is less of a concern, so now the focus is more on the implementation of the cloud technology.

Article link: https://www-csoonline-com.cdn.ampproject.org/c/s/www.csoonline.com/article/3043030/top-cloud-security-threats.amp.html

Editor’s note: This article, originally published on March 11, 2016, has been updated to reflect the latest research.

The Army Medical Modernization Strategy (AMMS), which seeks to improve the integration and modernization of mission-critical medical capabilities, will ensure the Army Health System is well-equipped to provide highly adaptive and effective care to the Future Force.

AMMS initiatives will extend across the US Army to strengthen how we support, what we support with and who we are, ultimately delivering a Multi-Domain Medical Force that is an integral part of an adaptive, responsive and resilient Joint Medical Force.

Learn more here: https://lnkd.in/gr7y3GJn

Article link: https://www.linkedin.com/posts/armyfutures_teamafc-forgethefuture-army-activity-6950804021024624640-t4iF?

Once you’ve met your most basic needs, an obsession with your bank account might be hiding deeper anxieties.By Arthur C. Brooks

“How to Build a Life” is a weekly column by Arthur Brooks, tackling questions of meaning and happiness. Click here to listen to his new podcast series on all things happiness, How to Build a Happy Life.

---

Money is one of the things Americans worry about most in the world. Even in 2018, when the economy was expanding, a survey by the life-insurance company Northwestern Mutual found that more than half of Americans felt anxious or insecure about money sometimes, often, or all the time. And during the pandemic, another survey found that workers were almost five times more likely to worry about money than their health.

That’s not to say that so many of us need to worry about money: A far smaller portion of Americans—11.4 percent, according to 2020 data from the U.S. Census Bureau—live in poverty. And yet, according to a 2015 survey fielded by the financial-management firm UBS, more than half of Millennials with a net worth greater than $1 million feared losing their wealth “a great deal” or “somewhat,” as did more than a third of similarly wealthy Baby Boomers.

For millions of people, then, worrying about money is not a reflection of whether their basic needs are being met. In fact, this anxiety reflects deeper concerns that money can’t solve.

orry has a nearly infinite ability to make our lives worse. In his 1948 book, How to Stop Worrying and Start Living, Dale Carnegie wrote, “Those who do not know how to fight worry die young.” The data support his claim: Researchers have found that psychological distress from sources including worry is associated with early mortality. Daily worrying can also lead to clinical anxiety, depression, and physical ailments such as lower-back pain, breathing difficulties, and stomach pains.

By contrast, money has only a limited power to make our lives better. Consider the hierarchy of needs proposed in 1943 by the psychologist Abraham Maslow. Maslow believed that people tend to focus on meeting their needs in a particular order of urgency. We start with survival needs such as food, shelter, and safety. Once these have been met, we turn our attention to social and emotional needs, such as love and belonging. Finally, we focus on higher-order needs such as self-actualization and transcendence—in other words, looking for life’s meaning.

Of these three levels, money is only truly helpful for the first. This is why economists often find that well-being doesn’t improve much once a person reaches the relatively modest financial means that meet those needs. The “middle needs” of love and belonging—family, friends, romance—can’t be met with money, and pursuing money with too much gusto can even cause people to neglect their relationships. Focusing too much on money is also actively opposed to Maslow’s highest-level needs, because doing so can lead people into a trap that researchers call“financial contingency of self-worth,” which happens when a person’s self-esteem is conditional on her financial success.

Not surprisingly, basing your self-image on your bank account can lead to unhappiness. In a 2020 study, my colleague Ashley Whillans and four co-authors asked a sample of 345 adults to react to statements such as “My self-esteem is influenced by how much money I make,” and “I feel bad about myself when I feel like I don’t make enough money.” Those who agreed were more likely to be lonely and socially disconnected. They also, not surprisingly, spent more time working alone than average.

Perhaps financially contingent self-worth is one reason stress is high both when money is tight and after people reach a higher income threshold. A 2018 surveyconducted by LinkedIn found that stress at work falls when people earn more than $50,000, but then starts to rise significantly when people earn above $200,000. One 2016 study in China showed that unhappiness follows a gradual U-shaped curve, declining with moderate income and then increasing again as income rises to higher levels.

t low income levels,worrying about money can be perfectly rational. As I have written in the past in this column, insufficient income to meet one’s material needs is a major source of unhappiness. Sometimes, spending less time on family, friends, and faith is necessary in order to support yourself. In such situations, money still can’t buy happiness—but it can remove sources of unhappiness.

But what if, after assessing your life circumstances honestly, you find that you have passed through the zone of low-income worry and are still worried about money? Perhaps you have some extenuating circumstances, such as a lot of other people who depend on you for support, or a high level of debt. But if these cases don’t apply, your focus on money might be disguising other anxieties.

Perhaps your parents always put a lot of pressure on you to succeed financially, or you tend to be insecure about your self-worth and rely a lot on social comparison. One way or another, you might be measuring yourself in money, and implicitly hoping that at some point you will be “expensive” enough to earn others’ love and respect. Your instincts might be telling you to earn more, more, more in order to find peace and satisfaction. Your instincts are lying, and you could get much happier by reassessing your priorities.

One practice that can help in this project is to give more of your money away, instead of accumulating it or spending it on conspicuous goods. This time of year, you can find no end of good causes competing for your generosity. The voluntary act of giving is a way of demonstrating to yourself that you are not your money, that money is merely a means by which you can create value in your life and others’. Giving is an act of rebellion against your grasping, attached self.

You could also try working less while redirecting your time toward non-remunerative activities that give you benefits that are further up on Maslow’s hierarchy. Many hardworking people work constantly, including on their nights and days off. If that describes you on Saturday or Sunday, for example, start dedicating one of those days to self-actualization instead by reading works of wisdom, walking in nature, or engaging in meditation or prayer. Find a good cause and volunteer your time. Attend worship services. At first you might feel like you don’t have time for this. Soon you will find that you can’t afford not to do these things.

Backing off on your financial ambitions may feel like closing the door on prosperity, which might be a lifelong dream. But actually, it doesn’t mean that at all. “He who knows he has enough is rich,” Lao Tzu said in the Tao Te Ching. In other words, you’ll be happiest if you’re rich in what really matters. Maybe that means you wind up with a lot of money, and maybe it doesn’t. The key is to remember that money can never be what makes you truly prosperous.

Arthur C. Brooks is a contributing writer at The Atlantic, the William Henry Bloomberg Professor of the Practice of Public Leadership at the Harvard Kennedy School, and a professor of management practice at the Harvard Business School. He’s the host of the podcast seriesHow to Build a Happy Life and the author of From Strength to Strength: Finding Success, Happiness, and Deep Purpose in the Second Half of Life.

Article link: https://www.theatlantic.com/family/archive/2021/12/worry-money-maslow-hierarchy-needs/620950/?

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Yearafter year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will actuallybe the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don’t exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaringtheir support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Article link: https://www-wired-com.cdn.ampproject.org/c/s/www.wired.com/story/apple-passkeys-password-ios16-ventura/amp

Federal agency reveals the first group of winners from its six-year competition.

July 05, 2022

GAITHERSBURG, Md. — The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has chosen the first group of encryption tools that are designed to withstand the assault of a future quantum computer, which could potentially crack the security used to protect privacy in the digital systems we rely on every day — such as online banking and email software. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized in about two years.

“Today’s announcement is an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” said Secretary of Commerce Gina M. Raimondo. “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so U.S. businesses can continue innovating while maintaining the trust and confidence of their customers.”

The announcement follows a six-year effort managed by NIST, which in 2016 called upon the world’s cryptographers to devise and then vet encryption methods that could resist an attack from a future quantum computer that is more powerful than the comparatively limited machines available today. The selection constitutes the beginning of the finale of the agency’s post-quantum cryptography standardization project.

“NIST constantly looks to the future to anticipate the needs of U.S. industry and society as a whole, and when they are built, quantum computers powerful enough to break present-day encryption will pose a serious threat to our information systems,” said Under Secretary of Commerce for Standards and Technology and NIST Director Laurie E. Locascio. “Our post-quantum cryptography program has leveraged the top minds in cryptography — worldwide — to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.”

Four additional algorithms are under consideration for inclusion in the standard, and NIST plans to announce the finalists from that round at a future date. NIST is announcing its choices in two stages because of the need for a robust variety of defense tools. As cryptographers have recognized from the beginning of NIST’s effort, there are different systems and tasks that use encryption, and a useful standard would offer solutions designed for different situations, use varied approaches for encryption, and offer more than one algorithm for each use case in the event one proves vulnerable.

“Our post-quantum cryptography program has leveraged the top minds in cryptography — worldwide — to produce this first group of quantum-resistant algorithms that will lead to a standard and significantly increase the security of our digital information.” —NIST Director Laurie E. Locascio

Encryption uses math to protect sensitive electronic information, including the secure websites we surf and the emails we send. Widely used public-key encryption systems, which rely on math problems that even the fastest conventional computers find intractable, ensure these websites and messages are inaccessible to unwelcome third parties.

However, a sufficiently capable quantum computer, which would be based on different technology than the conventional computers we have today, could solve these math problems quickly, defeating encryption systems. To counter this threat, the four quantum-resistant algorithms rely on math problems that both conventional and quantum computers should have difficulty solving, thereby defending privacy both now and down the road.

The algorithms are designed for two main tasks for which encryption is typically used: general encryption, used to protect information exchanged across a public network; and digital signatures, used for identity authentication. All four of the algorithms were created by experts collaborating from multiple countries and institutions. 

For general encryption, used when we access secure websites, NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+ (read as “Sphincs plus”). Reviewers noted the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason: It is based on a different math approach than all three of NIST’s other selections.

Three of the selected algorithms are based on a family of math problems called structured lattices, while SPHINCS+ uses hash functions. The additional four algorithms still under consideration are designed for general encryption and do not use structured lattices or hash functions in their approaches. 

While the standard is in development, NIST encourages security experts to explore the new algorithms and consider how their applications will use them, but not to bake them into their systems yet, as the algorithms could change slightly before the standard is finalized.

To prepare, users can inventory their systems for applications that use public-key cryptography, which will need to be replaced before cryptographically relevant quantum computers appear. They can also alert their IT departments and vendors about the upcoming change. To get involved in developing guidance for migrating to post-quantum cryptography, see NIST’s National Cybersecurity Center of Excellence project page.  

All of the algorithms are available on the NIST website.

Article link: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms

Information technology, Cybersecurity and Cryptography

July 1, 20225:00 AM ET

JULIE APPLEBY

The new rules will help people get upfront cost estimates for about 500 so-called “shoppable” services, meaning medical care they can schedule ahead of time DNY59/Getty Images

Consumers, employers and just about everyone else interested in health care prices will soon get an unprecedented look at what insurers pay for care, perhaps helping answer a question that has long dogged those who buy insurance: Are we getting the best deal we can?

Starting July 1, health insurers and self-insured employers must post on websites just about every price they’ve negotiated with providers for health care services, item by item. About the only exclusion is the prices paid for prescription drugs, except those administered in hospitals or doctors’ offices.

This story was produced in partnership with Kaiser Health News.

The federally required data release could affect future prices or even how employers contract for health care. Many will see for the first time how well their insurers are doing compared with others.

The new rules are far broader than those that went into effect last year requiring hospitals to post their negotiated rates for the public to see. Now insurers must post the amounts paid for “every physician in network, every hospital, every surgery center, every nursing facility,” said Jeffrey Leibach, a partner at the consulting firm Guidehouse.

“When you start doing the math, you’re talking trillions of records,” he said. The fines the federal government could impose for noncompliance are also heftier than the penalties that hospitals face.

Federal officials learned from the hospital experience and gave insurers more direction on what was expected, said Leibach. Insurers or self-insured employers could be fined as much as $100 a day for each violation and each affected enrollee if they fail to provide the data.

“Get your calculator out: All of a sudden you are in the millions pretty fast,” Leibach said.

Determined consumers, especially those with high-deductible health plans, may try to dig in right away and use the data to try comparing what they will have to pay at different hospitals, clinics, or doctor offices for specific services.

But each database’s enormous size may mean that most people “will find it very hard to use the data in a nuanced way,” said Katherine Baicker, dean of the University of Chicago Harris School of Public Policy.

At least at first.

Entrepreneurs are expected to quickly translate the information into more user-friendly formats so it can be incorporated into new or existing services that estimate costs for patients. And starting Jan. 1, the rules require insurers to provide online tools that will help people get upfront cost estimates for about 500 so-called “shoppable” services, meaning medical care they can schedule ahead of time.

Once those things happen, “you’ll at least have the options in front of you,” said Chris Severn, CEO of Turquoise Health, an online company that has posted price information made available under the rules for hospitals, although many hospitals have yet to comply.

With the addition of the insurers’ data, sites like his will be able to drill down further into cost variation from one place to another or among insurers.

“If you’re going to get an X-ray, you will be able to see that you can do it for $250 at this hospital, $75 at the imaging center down the road, or your specialist can do it in office for $25,” he said.

Everyone will know everyone else’s business: for example, how much insurers Aetna and Humana pay the same surgery center for a knee replacement.

The requirements stem from the Affordable Care Act and a 2019 executive order by then-President Donald Trump.

“These plans are supposed to be acting on behalf of employers in negotiating good rates, and the little insight we have on that shows it has not happened,” said Elizabeth Mitchell, president and CEO of the Purchaser Business Group on Health, an affiliation of employers who offer job-based health benefits to workers. “I do believe the dynamics are going to change.”

Other observers are more circumspect.

“Maybe at best this will reduce the wide variance of prices out there,” said Zack Cooper, director of health policy at the Yale University Institution for Social and Policy Studies. “But it won’t be unleashing a consumer revolution.”

Still, the biggest value of the July data release may well be to shed light on how successful insurers have been at negotiating prices. It comes on the heels of research that has shown tremendous variation in what is paid for health care. A recent study by the Rand Corp., for example, shows that employers that offer job-based insurance plans paid, on average, 224% more than Medicare for the same services.

Tens of thousands of employers who buy insurance coverage for their workers will get this more-complete pricing picture — and may not like what they see.

“What we’re learning from the hospital data is that insurers are really bad at negotiating,” said Gerard Anderson, a professor in the department of health policy at the Johns Hopkins Bloomberg School of Public Health, citing research that found that negotiated rates for hospital care can be higher than what the facilities accept from patients who are not using insurance and are paying cash.

That could add to the frustration that Mitchell and others say employers have with the current health insurance system. More might try to contract with providers directly, only using insurance companies for claims processing.

Other employers may bring their insurers back to the bargaining table.

“For the first time, an employer will be able to go to an insurance company and say, ‘You have not negotiated a good-enough deal, and we know that because we can see the same provider has negotiated a better deal with another company,'” said James Gelfand, president of the ERISA Industry Committee, a trade group of self-insured employers.

If that happens, he added, “patients will be able to save money.”

That’s not necessarily a given, however.

Because this kind of public release of pricing data hasn’t been tried widely in health care before, how it will affect future spending remains uncertain. If insurers are pushed back to the bargaining table or providers see where they stand relative to their peers, prices could drop. However, some providers could raise their prices if they see they are charging less than their peers.

“Downward pressure may not be a given,” said Kelley Schultz, vice president of commercial policy for AHIP, the industry’s trade lobby.

Baicker, of the University of Chicago, said that even after the data is out, rates will continue to be heavily influenced by local conditions, such as the size of an insurer or employer — providers often give bigger discounts, for example, to the insurers or self-insured employers that can send them the most patients. The number of hospitals in a region also matters — if an area has only one, for instance, that usually means the facility can demand higher rates.

Bill Of The Month

Another unknown: Will insurers meet the deadline and provide usable data?

Schultz, at AHIP, said the industry is well on the way, partly because the original deadline was extended by six months. She expects insurers to do better than the hospital industry. “We saw a lot of hospitals that just decided not to post files or make them difficult to find,” she said.

So far, more than 300 noncompliant hospitals have received warning letters from the government. But they could face $300-a-day fines for failing to comply, which is less than what insurers potentially face, although the federal government has recently upped the ante to up to $5,500 a day for the largest facilities.

Even after the pricing data is public, “I don’t think things will change overnight,” said Leibach. “Patients are still going to make care decisions based on their doctors and referrals, a lot of reasons other than price.”

KHN (Kaiser Health News) is a national newsroom that produces in-depth journalism about health issues. It is an editorially independent operating program of KFF (Kaiser Family Foundation).