Tag Archive for Encryption

| January 19, 2019
Comments Off on Zix Buys AppRiver – Bolsters Email Security

Zix Buys AppRiver – Bolsters Email Security

Zix Buys AppRiver - Bolsters Email SecurityCompetition in the email security market is intense. Most of the major endpoint security companies, Barracuda, Cisco (CSCO) Fortinet (FTNT), Mimecast (MIME), and Proofpoint (PFPT), have moved into email security — emphasizing training services to mitigate rising phishing threats. Plus, Microsoft (MSFT) has pushed into email security services that wrap around its core business productivity software Office 365.

email securityThe global email security market is expected to reach $18 billion by 2023, expanding at 22% from 2016, this report asserts. This growth has drawn the attention of venture capitalists. The latest VC deal is unique in that the smaller company is buying the larger firm.

Publicly traded Zix (ZIXI) is acquiring AppRiver for $275 million in cash. Zix is a Dallas-based maker of email archiving and security products including ZixMail which manages the key management to provide end-to-end email encryption that protects messages and attachments.

Zix is acquiring AppRiver AppRiver is a privately held Florida-based MSP-friendly cybersecurity and Microsoft Office 365 cloud solutions provider specialist. AppRiver, founded in 2002, supports more than 60,000 companies globally in 2019.

Zix and AppRiver each have about 260 employees. As part of the M&A plan, Zix expects to generate about $8 million in cost synergies — which typically means that layoffs are coming. AppRiver CEO Michael Murdoch is exiting the combined firm. Zix CEO David Wagner would not rule out further job cuts.

cost synergiesCEO Wagner has lined up financial backers to help finance the AppRiver deal. Among the financial players are:

True Wind Capital will make a $100 million equity investment with the closing of the AppRiver acquisition.

SunTrust Bank and KeyBanc Capital Markets committed to a new five-year $175 million term loan and a $25 million revolving credit line.

The combined company, known as Zix, expects to generate roughly $200 – $207 million in annual recurring revenue in fiscal 2019, up 11% – 15% year over year. The deal is expected to close by March 31, 2019. Bu purchasing AppRiver, the new Zix will grow its channel from about 400 to 4,000 partners and its customer base will go from 20,000 to 60,000.

AppRiver is no stranger to acquisitions as it worked to position itself as a one-stop-shop for commercial cybersecurity services.

In October 2017, VC firm Marlin Equity Partners purchased a majority stake in AppRiver with intention of expanding its global footprint.

In March 2018, AppRiver acquired Canadian company Roaring Penguin for its anti-spam and machine learning technologies. In October of 2018, AppRiver acquired Total Defense, a provider of subscription-based endpoint security for consumers and small businesses.

rb-

The last three places I have worked were AppRiver or Zix shops. It makes sense email is the gateway to the cloud for many firms. Email is mission-critical and complicated to secure so it gets moved to the cloud.

My experience with both firms was OK. We were an earlier adopter of hosted Exchange from AppRiver and then at a re-seller. In keeping with industry trends, my current employer moved from Zix as we moved to O365, maybe this deal is a year too late.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| January 5, 2019
Comments Off on Marriott Data Breach One Of Biggest Ever

Marriott Data Breach One Of Biggest Ever

Updated July 17, 2019 – The Brits slapped Marriott with a £99m ($124m) fine for “infringements of the GDPR.” The Information Commissioner’s Office said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems prior to the data breach.

___

Marriott Data Breach One Of Biggest EverThe internet is a dangerous place for data. Hotel chain Marriott (MAR) proved that once again. Marriott revealed that hackers stole personal information from 500 million Starwood Preferred Guest program participants. The data stolen in the data breach included sensitive personally identifiable information (PII).

Marriott

Marriott said it got an alert on September 8, 2018, about an attempt to access the Starwood database and enlisted security experts to assess the situation. During the investigation, Marriott claims to have discovered that the unauthorized access to the Starwood network started in 2014.

Investigators found that an unauthorized party had copied and encrypted information from the database and had taken steps toward removing it. The company was able to decrypt the information on November 19, 2018, and found that the contents were from the Starwood guest reservation database. The hotel chain then waited until November 30, 2018, to tell its customers of the data theft.

What was lost on the data breach

personally identifiable informationFor about 327 million Marriott customers, the compromised information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott added that the data breach included payment card information. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen.

Marriott says that about 20.3 million encrypted passport numbers and approximately 8.6 million encrypted payment cards were compromised in the breach.

Chinese hackers Several sources report that state-sponsored Chinese hackers working for the intelligence services and the military were behind the attack. The stolen data would be an espionage bonanza for government hackers. Sources point out that the Starwood attacks began in 2014, shortly after the attack on the U.S. government’s Office of Personnel Management (OPM) compromised sensitive data on tens of millions of employees, including application forms for security clearances.

Sadly, the 500 million records Marriott hack only ranks as the third-largest known data breach to date. This list of fails illustrates, no matter what you’re doing online every time you put your information on the internet, you risk it being stolen.

RankCompanyAccounts HackedDate of Hack
1Yahoo3 BillionAugust 2013
2River City Media1.3 BillionMay 2017
3Aadhaar1.1 BillionJanuary 2018
4Marriott500 Million2014 - 2018
5Yahoo500 MillionLate 2014
6Adult Friend Finder412 MiltonOctober 2016
7MySpace360 MillionMay 2016
8Exactis340 MillionJune 2018
9Twitter330 MillionMay 2018
10Experian200 MillionMarch 2012
11Deep Root Analytics198 MillionJune 2017
12Adobe152 MillionOctober 2013
13Under Armor150 MillionFebruary 2018
14Equifax145.5 MillionJuly 2017
15Ebay145 MillionMay 2014
16Heartland Payment Systems134 MillionMay 2008`
17Alteryx123 MillionDecember 2017
18Nametests120 MillionJune 2018
19LinkedIn117 MillionJune 2012
20Target110 MillionNovember 2013
21Quora100 millionNovember 2018
22VK100 MillionDecember 2018
23Firebase100 MillionJune 2018

rb-

There is something else fishy here. Reports claim that the data was encrypted using AES-128 but not all the stolen data. Attackers were able to steal nearly 20 million passport numbers, and 8.6 million encrypted payment cards.

Marriott says that the attackers were able to gain access to 5.25 million unencrypted passport numbers and 2,000 unencrypted payment card numbers.

I’m sure that regulators (GDPR) and lawyers will ask why unencrypted sensitive info like passports and credit card numbers lying around waiting to be stolen?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| November 25, 2018
Comments Off on How Lava Lamps Secure the Internet

How Lava Lamps Secure the Internet

How Lava Lamps Secure the InternetThe web performance and security company, Cloudflare provides security and domain name services for companies such as Cisco (CSCO),  FitBit, OKCupid, Uber, and Zendesk. It serves a total of 10 million website domains and the average Internet user touches its services around 500 times per day, according to its website.

CloudflareThe company hopes to leverage its solid reputation for its secure encryption into a 2019 $3.5 billion IPO. Cloudflare’s reputation is based in part on a shelf full of lava lamps.

The lava lamps in the lobby of Cloudflare’s San Francisco headquarters ensure randomness for generating encryption keys. ID Quantique explains that the strength of any cryptographic system lies in its keys – the random stream of bits used by the cryptographic algorithm to transform plain text into ciphertext and back again.

Lava laps provide Internet security

The secret to a secure key is the amount of randomness, or entropy used to generate the key. The greater the degree of entropy, the more secure the key is. Because conventional computers cannot generate true randomness, information from inputs such as mouse movements, disc interrupts, or system timers are all placed into a ‘pool’ of numbers, from which a ‘seed’ is picked. This ‘seed’ is then used in the pseudo-random number generation (PRNG) which generates the keys.

Instead of using mouse movements, disc interrupts or system timers, Cloudflare videotapes its wall of colorful constantly morphing lava lamps and translates that video information into unique cryptographic keys. The lava lamps work because fluid dynamics are hard, and no one has figured out how to predict the movements inside a lava lamp, let alone a wall of them. That means the random numbers being used in Cloudflare’s encryption are effectively random.

Nick Sullivan, Cloudfare’s head of cryptography, explained that instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs, and movements are recorded and photographs are taken. This footage is then turned into a “stream of random, unpredictable bytes.” According to Mr. Sullivan, “… this unpredictable data is what we use to help create the keys that encrypt the traffic that flows through Cloudflare’s network.”

Cloudflare wall of entropy

Mr. Sullivan continued,

Every time you take a picture with a camera there’s going to be some sort of static, some sort of noise,” . “So it’s not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light — every tiny change impacts the stream of data.

The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic.

rb-

Who didn’t have a lava lamp in college? Not only is Cloudflare’s wall of entropy fun, but it makes it harder for bad actors to break encryption.

groovy vintage lava lamp

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| April 30, 2018
Comments Off on ATM Jackpotting

ATM Jackpotting

ATM JackpottingThe U.S. Secret Service has warned (PDF) financial institutions of logical (jackpot) attacks on Automated Teller Machines (ATMs). These ATM attacks originated in Mexico and have spread to the US. These jackpotting attacks are an industry-wide issue and as one vendor stated, are “a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The attack mode involves a series of steps to defeat the ATM’s existing security mechanisms and the authorization process for setting the communication within the ATM. Internal communications are used when computer components like the mainboard or the hard disk have to be exchanged for legitimate reasons.

Description of an ATM attack

Automated Teller Machines (ATMs)In a Jackpotting attack, the criminal gains access to the internal infrastructure of the terminal to infect the ATM PC or by completely exchanging the hard disk (HDD). There are a number of steps the attacker has to take for this type of attack:

  1. The top of the ATM must be opened.
  2. The original hard disk of the ATM is removed and replaced by another hard disk, which the attackers have loaded with an unauthorized and/or stolen image of ATM platform software.
  3. In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. A cable in the ATM is unplugged to fool the machine into allowing the crooks to add their bogus hard drive to the ATM.
  4. A dedicated button inside the safe needs to be pressed and held to start the dispenser communication. The crooks insert an extension into existing gaps next to the presenter to depress the button. CCTV footage has shown that criminals use an industrial endoscope to complete the taskATM's

In other Jackpotting attacks, portions of a third-party multi-vendor application software stack to drive ATM components are used. Brian Krebs at Krebs on Security reports that Secret Service issued a warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

Mr. Krebs also reports that “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM. Once this is complete, fraudsters own the ATM and it will appear Out of Service to potential customers according to the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

In previous Ploutus.D attacks, the ATM Dispensed at a rate of 40 bills every 23 secondscontinuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Specific Guidance and Recommendations

The most common forms of logical attack against ATMs are “Black Box” and “Offline Malware”. The steps to minimize the risks to ATMs are the same as any other enterprise device.

  1. Make sure firmware and software are current with the latest updates, are important protections to mitigate the impact of Black Box attacks. Four out of five cash machines still run Win XP or Win XP Embedded. The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to at least Windows 7 to defeat this specific type of attack.
  2. Use secure hard drive encryption protections against Offline Malware
  3. Use a secure BIOS remote control app to lock the ATM BIOS configuration and protect the configuration with a password.
  4. Deploying an application whitelisting solution.
  5. Limit Physical Access to the ATM:
    • Use appropriate locking mechanisms to secure the head compartment of the ATM.
    • Control access to areas used by staff to service the ATM.
    • Implement two-factor authentication (2FA) controls for service technicians.
  6. Set up secure monitoring
  7. Use the most secure configuration of encrypted communications. In cases where the complete hard disk is being exchanged, encrypted communications between ATM PC and dispenser protect against the attack.
    • Ensure proper hardening and real-time monitoring of security-relevant hardware and software events.
    • Investigate suspicious activities like deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser. Monitor unexpected opening of the top hat compartment of the ATM.

rb-

Followers of the Bach Seat know how to secure their PCs, I have written about securing PCs many times here. So the question is why not ATMs? Research says that consumers go into the branch less every year. The experts say that by 2022 customers will visit a branch only 4 times a year. In many cases, ATMs are the bank’s surrogates for most cash transactions. It makes sense to get it right.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| March 24, 2018
Comments Off on Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This Time

Will Wi-Fi Be Secure This TimeOne event at CES 2018 that was overlooked by many people was the Wi-Fi Alliance announcement of WPA3, a long overdue update to Wi-Fi Protected Access (WPA). This increases the strength of a security protocol that hasn’t been updated in 14 years.

Wi-Fi AllianceThe Wi-Fi Alliance says Wi-Fi carries more than half of the internet’s traffic, so improvements to WPA are good news. The WPA3 update is a response to the evolution of Wi-Fi usage and WPA2 vulnerabilities. There are four improvements to Wi-Fi Protected Access via WPA3 over the current standard (WPA2).

Stronger passwords

WPA3 gets a new layer of protection so its security is not contingent on passwords (as followers of the Bach Seat know, passwords suck). WPA3 is an improvement on WPA2’s largest vulnerability the handshake when the key is being exchanged. KRACK (Key Reinstallation Attack) is a major vulnerability discovered in 2017 in WPA2 and WPA. It exploits the Wi-Fi handshake. KRACK allows attackers to snoop on encrypted data being transferred between computers and wireless access points (WAP).

WPA2 uses a four-way handshake mechanism, starting with a nonce provided by the access point.Brute force “dictionary attacks” are the backbone of the KRACK attack. WPA3 implements IEEE 802.11s, Simultaneous Authentication of Equals (SAE) to provide protection against this flaw. SAE is also known as the Dragonfly protocol. The Internet Engineering Task Force (IETF) describes Dragonfly,employs discrete logarithm cryptography to perform an efficient exchange in a way that performs mutual authentication using a password that is probably resistant to an offline dictionary attack.

This improvement will offer better security even if poor passwords are used. This feature is very useful since we know that users have difficulties creating strong and hard-to-guess passwords. The Wi-Fi Alliance claims WPA3 makes it almost impossible to breach a Wi-Fi network using the current dictionary and brute-force attacks.  Mathy Vanhoef, the security researcher who discovered KRACK, appears very enthusiastic about the security improvements in WPA3.

Secure public Wi-Fi

Secure public Wi-FiWPA3 secured open networks will offer more privacy than ever before. Everything transmitted over today’s open Wi-Fi networks at airports, coffee shop, libraries, are sent in plain text that people can intercept. WPA3 will apply encryption to each user on the public Wi-Fi to eliminate clear text with “individualized data encryption”.

Malwarebytes Lab speculates that WPA3 will include Opportunistic Wireless Encryption. OWE enables connection on an open network without a shared and public Pre-Shared Key (PSK). That’s important because a PSK can give hackers easy access to the Traffic Encryption Keys (TEKs), allowing them access to a data stream. OWE implements a Diffie-Hellman key exchange during network sign-on and uses the resulting secret for the 4-way 802.11 handshake and not the shared, public Pre-Shared Key (PSK) that can be easily exploited. WPA3 will be more difficult for people to snoop on your web browsing without actually cracking the encryption while you’re at Starbucks.

Stronger encryption

WPA3 will use stronger cryptographic algorithms. The new security protocol will use the  Commercial National Security Algorithm (CNSA) 192-bit encryption mandated by the U.S. government for secure Wi-Fi networks. Experts speculate WPA3 will use a 48-bit initialization vector to support backward compatibility with WPA and WPA2  The 192-bit encryption will make WPA3 compliant with the highest security standards and fit for use in networks with the most stringent security requirements. (rb- Ironic – Go to the CNSA site and get an invalid cert warning in Chrome) The CNSS is part of the US National Security Agency.

Easier IoT security

The WPA3 update simplifies setting up secure Wi-Fi connections for devices that don’t have a graphical user interface. This is critical the secure the 30.7 billion IoT devices that will be on the network by 2020. The new protocol will add Device Provisioning Protocol (DPP) which sets up a simple, secure and consistent method for securing devices with limited or no display. NetworkWorld reports that You will be able to tap a smartphone against a device or sensor and then provision the device on the network.

What happens to WPA2 devices

So far, most manufacturers have been quiet about legacy device support. We do know that future W-Fi certified WPA3 routers will be backward compatible to support WPA2. The question remains whether current WPA2 devices will be capable of connecting to WPA3.

WPA2 devices are not immediately obsolete. The Wi-Fi Alliance explained that current WPA2 devices will be able to connect with WPA3 hardware. The Alliance also announced that it will continue to do security tests on WPA2 to further protect wireless networks. WPA3 is not an immediate replacement for WPA2

Even after you get a WPA3 enabled router, you’ll need WPA3 compatible client devices—your laptop, phone, refrigerator, security camera, industrial temperature sensor, or anything that connects to Wi-Fi—to fully take advantage of the WPA3 features. The good news is that shiny new router will accept both WPA2 and WPA3 connections at the same time.

Even when WPA3 is widespread, expect a long transition period where some devices are connecting to your router with WPA2 and others are connecting with WPA3. Once all your devices support WPA3, you should disable WPA2 connectivity on your router to improve security.

rb-

I am suspicious about the NSA link to the new WPA3 encryption. The NSA has introduced weaknesses in other encryption protocols.

Until we get our hands on real hardware, it is safe to speculate that like all things Wi-Fi, backward compatibility will cost your performance. What will the impact of one legacy device have on the capabilities of the WAP? Have a pair and turn off 802.11, 802.11b, WEP, and WPA connections on your current router.

It’s about time to update WPA. But as the 802.11n process proved, if you want to get nothing done, turn it over to an industry consortium. Andy Patrizio at NetworkWorld explained that’s where standards go to die because everyone wants their IP used so they make money off every sale. The end result is nothing gets done.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »