Author: Dave Lewis April 7, 2008 at 12:46 pm · Filed under Crypto, Data Security
I’ve had a rash of phone calls lately from vendors saying “did you hear?” and using that to leverage their product offering. I can’t blame them. I know they have to make a buck. Here is an article over on “Enterprise Security Today” that points to this boost in sales.
Data breaches leave organizations vulnerable to massive information losses, including confidential client data. Data breaches also open companies to to reputation damage and lawsuits. Data encryption solutions significantly reduce companies’ rates of data breaches. Encryption can mitigate the consequences of a potential data breach.
More than eight out of 10 organizations have suffered at least one breach of data Relevant Products/Services in the last year, and 44 percent have lost data two to five times in the same period, according to new research from the Ponemon Institute.
There’s some good news for companies that have a comprehensive encryption Relevant Products/Services strategy, however. These organizations had significantly lower rates of data breaches.
Data breaches open organizations to reputation damage and lawsuits — witness the recent data loss at grocery-chain Hannaford, where more than 4 million credit- and debit-card numbers were exposed between December 7, 2007, and March 10, 2008, resulting in at least 1,800 stolen, and at least one federal class-action lawsuit.
I’m planning to review a few encryption vendor offerings in the not to distant future.
Author: Dave Lewis February 28, 2008 at 8:57 am · Filed under Crypto, Wireless
From Daily Progress.com:
A University of Virginia graduate student and two fellow hackers say they have cracked the encryption code that protects billions of credit cards, subway passes and security badges.
With readily available equipment that cost less than $1,000, 26-year-old Karsten Nohl and his two Germany-based partners dismantled a tiny chip that is found inside many “smartcards” and mapped out its secret security algorithm.
With the cryptographic formula in hand, the hackers were then able to run it through a computer program that tried out every possible key. It broke the encryption after a few hours. If they were to try again, Nohl said, it would take a matter of minutes.
“I don’t want to help attackers, but I want to inform people about the vulnerabilities of these cards,” said Nohl, a Ph.D. candidate in computer engineering at UVa who is originally from Germany.
So, why does this seem familiar? The article seems a touch confusing. Did he break crypto or simply RFID? The quote from the article “found that it was fairly easy to crack the RFID chip’s code, potentially allowing a tech-savvy miscreant to clone credit cards, ride the Metro for free, or easily steal cars.” seems to indicate that they merely attacked the RFID as opposed to some encryption. Does anyone have a link to Nohl’s presentation from CCC?
Author: Dave Lewis February 26, 2008 at 7:27 am · Filed under Crypto, Vendor News
In a bid to flush out its offerings the folks at Trend Mirco picked up a UK based crypto provider. The company, Identum, will be used to complimetn their “software-as-a-service” offerings.
From Tech World:
Identum’s Private Post desktop and gateway server products will be integrated into Trend’s existing line of products and rebranded “Identum as Trend Micro.”
The Identum server software, which will automatically encrypt messages depending on the user’s corporate security policy, can be used alongside existing email and compliance products. It gives Trend a way to add email encryption to its InterScan Messaging Hosted Security product line.
Author: Dave Lewis February 21, 2008 at 3:22 pm · Filed under Crypto
Interesting reading.
From Princeton.edu:
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.
To answer the emails that I received this afternoon at once, no, they have not released bitunlocker.sh.
This article was written by Rob Rachwald (note: he’s the Director of Product Marketing for Fortify).
From IT Wales:
Banking online has become increasingly pervasive and is becoming more and more common. But has it reached a point where its actually safer than going to your local branch?
The risks of banking online are numerous
* Hackers have global reach - if you’re doing offline banking in Birmingham, you only need to be worried about bad guys in Birmingham, for instance the customers and employees present in your local branch. If you’re banking online, anyone in the world could attack you and your assets.
* Automation - in the physical world attackers are limited by their ability to manipulate physical items like making an extra copy of your account number. In the online world attackers are essentially unlimited in the resources they can bring to bear.
* Online security is opaque to the end user. People who aren’t particularly tech savvy have a tough time differentiating between good online security practices and bad online security practices. Security in the physical world is much more intuitive for most people - keep your chequebook in a safe place or don’t let someone peek when you are entering your PIN.
Author: Dave Lewis February 6, 2008 at 2:39 pm · Filed under Crypto, Tools
The latest iteration of this handy tool is now out (Feb 5, ‘08). The new version now provides for full disk encryption.
From TrueCrypt:
Main Features:
* Creates a virtual encrypted disk within a file and mounts it as a real disk.
* Encrypts an entire hard disk partition or a storage device such as USB flash drive.
* Encryption is automatic, real-time (on-the-fly) and transparent.
* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
1) Hidden volume (steganography – more information may be found here).
2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
* Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.
Author: Dave Lewis February 6, 2008 at 2:24 pm · Filed under Crypto, Terrorism
Unfortunate but, inevitable.
From CSO Online:
A recently released tool that allegedly was designed to help al-Qaeda supporters encrypt their Internet-based communications is a well-written and easily portable piece of code, according to a security researcher who has analyzed the software.
However, messages that are encrypted using the tool, which is known as Mujahedeen Secrets 2 (alternately spelled as Mujahideen), should be relatively easy for law enforcement authorities to spot and track, said Paul Henry, vice president of technology evangelism at Secure Computing Corp. in San Jose.
The tool was previously downloaded and reviewed by information-security practitioner Jeff Bardin, a former USAF/NSA code-breaker and Arabic translator who blogs for CSOonline.com. In a blog entry, “A Gift from the Islamic Faithful Network – Mujahedeen Secrets 2 Program,” Bardin concluded that the tool showed a software development cycle with an increasing level of sophistication.
Author: Dave Lewis December 13, 2007 at 1:28 pm · Filed under Crypto, Data Security
I haven’t read anything on TACLANE/FASTLANE for a long while. Here is an interesting blurb on General Dynamics KG175D which NSA just certified.
From GCN:
The National Security Agency has certified General Dynamics’ TACLANE-Micro (KG-175D) in-line network encryptor for securing classified data at the Top-Secret level and below on commercial, military and government IP networks.
The encryptor can be used on fixed or mobile platforms such as ships or aircraft where space and power are limited, General Dynamics said. The device is ruggedized for operation in tactical environments and can be managed remotely.
Author: Dave Lewis November 27, 2007 at 10:51 am · Filed under Crypto, Education
Bruce Schneier has a great posting on his site today that points to a college crypto course that is available online. This course, “Practical Aspects of Modern Cryptography” is available from the University of Washington.
Author: Dave Lewis November 16, 2007 at 2:51 pm · Filed under Crypto, Privacy
“Sometimes it feels like, somebody’s watching me.”
For WoW fans, especially those who like to tinker, you’re being watched.
From the Reg UK:
According to Warden-watching modders, the latest version is now encrypted, adding a major barrier for tinfoil hats who track what information the application sends home to Blizzard.
The Warden’s function as an anti-hacking sentry was already cause for concern for some privacy advocates. From the moment players log into the game, The Warden checks open window names, process names, memory modifications, DDL names and other pieces of data in the background. The goal is to determine if the user has a specific hack or program loaded and sends back a “yes” or “no” answer to Blizzard.
At any given time, there is one version of The Warden active in a set of WoW servers. But Blizzard fights would-be countermeasures against The Warden by switching between hundreds of different copies of The Warden with the same functionality, but containing slight modifications in the code.
So, what we have here is potential for Blizzard to gain full access to a users system. Remember, I said potential.
Explore
Security Bloggers Network
