Cryptography | Bach Seat

Tag Archive for Cryptography

RB | December 7, 2015

Comments Off

Let’s Encrypt Lives

Let’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Let’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Let’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

The automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Should You Switch To An HTTPS Website? (business.yell.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2015, CA, certificate authority, Cisco, Cryptography, CSCO, EFF, Facebook, FB, GOOG, Google, HTTPS, Let’s Encrypt, Microsoft, Mozilla, MSFT, Security, SSL, TLS

RB | October 25, 2011

One comment

Copier Security Best Practices

Copier Security Best Practices Multi-function printers (MFP) can scan, copy, fax, and print. The lowly office copier can now send emails, host web-based administrative pages, and even tell you when the ink is low. While doing all that, MFPs can store image files on onboard hard drives, which can contain sensitive, personally identifiable information (PII). Compliance with standards/laws such as PCI-DSS, HIPAA, Sarbanes Oxley, state privacy laws, etc., may force MFPs to be secured.

SecureState suggests some general questions to ask when trying to understand the criticality of these copier systems and to show some due diligence:

• Are these devices accessible on the network? If so, how is “Administrative” access controlled?
• How long are the image files retained on these systems?
• If the copier is compromised, can the attackers capture sensitive data?
• If a hard drive fails, does the replacement process follow the usual standard for securely destroying the disk?
• What are some of the services enabled on these devices? Is there an administrative website, SNMP client, or SMTP server? How about the accounts and passwords of the administrative websites; are they set to default accounts and passwords?

SecureState says If you answered “No” or “I don’t know” to these questions, some of the issues more than likely need to be addressed.

Just like any network appliance, MFPs and other print devices are small computers connected to the network that have memory, storage, processors, an operating system, and full-fledged web servers. These devices can hold sensitive information. Before that old printer is decommissioned, ensure the copier hard drive is securely wiped. If the existing device does not have advanced security options such as disk encryption or immediately overwriting data, the hard drive should be removed and securely wiped or destroyed separately before being decommissioned.

Recommended best practices

Recommended best practices for multi-function printers and copiers with disk drives:

Review vendor security configuration guides
Develop a standard configuration and check regularly
Enable immediate image to overwrite and schedule regular off-hours overwrite (DoD 3 pass)
Enable encryption (minimum 128-bit AES)
Use encryption and secure protocols such as IPSec, SSL, and SNMPv3 if network-enabled.
Regularly review copier vendor security bulletins.
Enable authentication and authorization (if possible, use network credentials)
Change admin password regularly
Enable audit log and review periodically
Treat network-enabled devices like any other computer on the network
Purchase a device that has an EAL2 Common Criteria certification

If the copier processes restricted data, it MUST have encryption and image overwrite. For devices that process restricted data but do not have the necessary security features:

If possible, buy the required security modules and enable the features.
If security features cannot be purchased or enabled, replace the copier as soon as appropriate and have the hard drive removed and destroyed.

By Copier Vendor

Xerox—Newer Xerox (XRX) devices have security features that often need to be turned on. For more information, see the Xerox Information Security Guides.

Ricoh—Security options for Ricoh’s (7752) have to be purchased separately. For more information, see the Ricoh Common Security Features Guide (PDF).

Canon—Security options for Canon (CAJ) devices must be purchased separately. For more information, see Canon Security Solutions for iR and iP Devices (PDF).

HP – All HP (HPQ) multi-function printers have hard drives.

There is a disk-wipe utility for all MFPs.
This utility is not installed by default and must be downloaded from HP.COM. It is protected by an admin account and password.
The admin can configure the utility to do a printer disk wipe daily.
Some non-MFP HP printers may have hard drives. These printers will have an occupied EIO card (with a resident hard drive) in the slot next to the network card. Viewing the printer’s external case, this EIO card should be physically evident.
Third-party disk wipe utility cannot be used against HP MFP hard drives without removing the drive from the card, which is likely to damage the card and, possibly, the hard drive.
Non-MFPs with hard drives are rare and may be purchased for particular purposes.
Non-MFPs with hard drives and network connections can be remotely disk wiped. Non-MFPs with a hard drive but without a network connection need to be handled by HP.
The agreements should include a defective media retention provision for leased HP printers that permits the lessor to keep the hard drive before releasing the printer.
The WebJetAdmin tool, downloadable from HP.COM, can scan a network subnet and identify HP printers (and non-HP printers if the tool has an MIB for the non-HP printer).

rb-

Richard Nixon

All they focused on was the costs; they did not ask any of the due diligence questions pointed out in this post. They had no plans on wiping the HDDs on the 12 networked copy/scan/print Ricohs. It is pretty clear that all the info on the HDDs was bound for South America or else on the secondary market, as I wrote about here.

Corporate Espionage’s New Friend: Embedded Web Servers (informationweek.com)

Category: Uncategorized | Tags: 2011, AES, Cryptography, Encryption, Hard disk drive, IPsec, MFP, Multifunction printer, Personally identifiable information, Security, SSL

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat