Tag Archive for Encryption

| February 5, 2015
Comments Off on Spies Say Encryption Best to Protect Data

Spies Say Encryption Best to Protect Data

Updated August 01, 2019 – Trump’s top cop U.S. Attorney General William Barr rehashed the time-worn government demands for private firms to break encryption. AG Barr closed his July 23, 2019 speech at the International Conference on Cyber Security, by saying that U.S. citizens should accept encryption backdoors because backdoors are essential to our security.

Spies Say Encryption Best to Protect DataDespite what current US policy appears to be, a newly leaked document courtesy of Edward Snowden revealed that some U.S. officials are encouraging the use of encryption to protect data. GigaOm points out a 2009 document penned by the U.S. National Intelligence Council, which explained that companies and the government are prone to attacks by nation-states and criminal syndicates “due to the slower than expected adoption…of encryption and other technologies.” The report detailed a five-year prognosis on the “global cyber threat to the US information infrastructure” and stated that encryption technology is the “[b]est defense to protect data.”

750 major data breaches exposing more than 81 million private records.Seems that these spooks were right. FierceITSecurity reports there were 750 major data breaches in the U.S. last year, exposing more than 81 million private records. FierceITSecurity cites data from SysCloud, a provider of security and data backup for enterprises which provided the following infographic about data breaches.

 

SysCloud infographic

U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers2015 will be worse. The WSJ reports a single data breach at the U.S.’s second-biggest health insurer Anthem Inc., lost personal information for about 80 million of its customers when attackers broke into a database. According to the WSJ, the breach exposed names, birthdays, addresses, and Social Security numbers. Anthem said in a statement that the affected (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. Anthem did not encrypt the stolen PII according to reports.

GigaOm explains that encryption makes it possible for documents and messages to be unreadable to people who don’t have the proper cryptographic key.

encryption

A cryptographic key is the core part of cryptographic operations which scramble information. Cryptographic systems include pairs of operations, such as encryption and decryption. A key is a part of the variable data that is provided as input to a cryptographic algorithm to execute this sort of operation. The security of the scheme is dependent on the security of the keys used.

The spooks also encouraged multi-factor authentication, which adds another step to the security process beyond simply entering a password.

vocal opponent of encryption technologyDespite the totally porous nature of online security, GigaOm points out that the Obama administration is a vocal opponent of encryption technology. According to Bruce Schneier the gooberments opposition to encryption on phones is all bluster and sound bites.

Encryption is no doubt a hot topic in the security space. GigaOm says there’s been a wave of security start-ups focusing on encryption scoring millions of dollars in investment in recent months. Security start-ups VeradocsCipherCloud, and Ionic Security have recently landed over $100 million in investments.

Despite political pushback, it’s clear that companies won’t slow down on implementing encryption any time soon, so long as large-scale data breaches continue to occur on a seemingly weekly basis.

rb-

Is it time to go back to a cash economy?

 

Related articles
  • Crypto-Wars Escalate: Congress Plans Bill To Force Companies To Comply With Decryption Orders (thenewsdoctors.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| November 25, 2014
Comments Off on Encryption on the Internet Primer

Encryption on the Internet Primer

Encryption on the Internet PrimerI spoke to several of my mother’s friends the other day. They were all worried about being on the web. Kudos to these ladies for being connected at all (they are in their 70’s and 80’s), They also get a gold star for being alert enough to recognize that something on the ol’ Intertubes has changed recently.

Data theftThey hear that their information is being stolen at the banks and stores they frequent. One neighbor lady even said she was worried but the government stealing her data. I explained to the group that I too am concerned about how it seems everyone on the web is under attack lately.

I gave them the usual pointers. Don’t trust anything on the web.  Have someone (not me!) help keep their anti-malware and systems up to date. And use encryption if possible.

Navajo Code Talkers

Of course, none of my mother’s neighbors had heard of encryption. I explained to the ladies that encryption means changing a message so that anybody who heard the message would not understand it unless they knew how the message was changed. I used the example of Ig-pay Atin-lay.

  • An-cay ou-yay eak-spay Ig-pay Atin-lay? = Can you speak Pig Latin?
  • I-way ave-hay a-way ecret-say = I have a secret.

 

Then of course I was outsmarted. One of the wNavajo Code Talkers during World War IIomen chimed out, Oh like the Navajo Code Talkers during World War II. (Next time I will start with the smart answer and then go to the Pig-Latin.)  These ladies lived through the shhesh,

So that got me thinking, what does the end-user really need to know about encryption? Sure there are PKI’s, Salted hashes, Block-ciphers, and …. none of which mean anything to the end-user.

What users need to know about encryption

Miguel Leiva-Gomez at MakeTechEasier.com recently explained what beginners need to know about encryption. He says that encryption is a practice in cryptography where a piece of data is obfuscated (manipulated) in a mathematically predictable way. The manipulation makes it very difficult to recover its contents. The author says it is like my pig-Latin example, but much more complex. The mathematical equations used to encrypt (and decrypt/decode) things are called cryptographic algorithms.

These cryptographic algorithms are needed because hackers are getting smarter and sneakier. They’re compromising databases left and right. To protect your data from attacks system owners should use these algorithms to mathematically jumble up all your personal data Jumbling the data (encrypting) making it difficult (if not completely impossible) for a hacker to steal your data from that database. Mr. Gomez claims that encryption basically protects you from intrusion. If a hacker manages to break into a database and take your passwords, it would be reading something like “EAFC49BF4B496090EA2B7CA51674589” instead of “Mary_$mith.”

The article calls the jumbled-up text like “EAFC49BF4B496090EA2B7CA51674589” at the end of every algorithm is called a ciphertext. The decrypted equivalent is known as plaintext. These are very important words to remember when discussing cryptography.

The author explains that there are two ways that the plaintext “Mary_$mith” gets turned into the ciphertext to “EAFC49BF4B496090EA2B7CA51674589” and then back to plaintext “Mary_$mith.” The first method is called a symmetric algorithm:

Symmetric algorithms use a key to Symmetric algorithm:encrypt and decrypt data. The key is basically the “x” that will solve for “y” in the mathematical algorithm. The length of the key and some other properties of the algorithm determine its “difficulty.” The more difficult an algorithm is, the more difficult it is to crack it. A difficult algorithm requires immense amounts of computing power to crack. The kind of horsepower that is usually out of reach from run-of-the-mill hackers. More sophisticated attacks might use computer clusters to decipher your data. Even then, some symmetric algorithms might thwart these attacks.

Asymmetric (public key) algorithms.The second-way plaintext gets turned into the ciphertext and then back to plaintext are called Asymmetric (public key) algorithms. Asymmetric algorithms split the key into two pieces. The first is a public one (usually stored in the server). The second piece is a private one (usually stored in your computer by software). Mr. Gomez writes that asymmetric algorithms get their strength from this particular technique since a hacker will not be able to read the contents of your data even if he gets his hands on the public key (it’s only half the key).

rb-

In the end, no algorithm is created equally. All of them have some flaw or another that will be discovered in the future, so it’s difficult to know what services you should rely on.

The best advice is still the oldest advice. Look for URLs that start with HTTPS and have a little green lock in the URL line. This means some part of the connection is encrypted with Secure Socket Layer (SSL) an Asymmetric (public key) algorithm. The Internet is on the verge of a move to a more secure Asymmetric algorithm called Transport Layer Security (TLS) 

That’s why the age-old advice to keep your PC up to date is critical for keeping your personal data safe.

Related articles
  • Navajo, Pawnee Code Talkers remembered on Veterans Day (KOB.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| November 4, 2014
Comments Off on What is Ransomware?

What is Ransomware?

What is Ransomware?Ransomware is a nasty form of malware. It is also known as data kidnapping. It locks up your computer by encrypting your data and then demanding you pay a fee to unlock them. The fee is usually in Bitcoins. The decryption key may or may not unlock your files. Ransomware can be terrifying. We rely so completely these days on our PCs that to stare helplessly at yours—often with a racy image on the screen—is frustrating and crippling to your productivity. Cybercriminals may use one of several tactics to extort money from their victims.

Tactics to extort money

1. After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever.

2. The victim is duped into believing he is the subject of a police inquiry. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.

Avoid sketchy websites3. The attackers sneak malware onto a computer, usually by a drive-by download, which encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.

Cut your ransomware risks

Here are tips that cut your risk of becoming a victim.

1. Avoid sketchy websites, searches, and downloads. You know the old expression “You can’t cheat an honest man”? Well, many (though not all) ransomware infections begin when a user surfs to pornographic or gambling websites, while others start with a click on a suspicious link. Steer clear of sites known to house malware, and never click a link in an email unless you know it is legit.

2. Back up your data. Experts stress that the single biggest thing that will defeat ransomware is having a regularly updated backup. That way, if you are beset by ransomware, you can restore your system while losing relatively little work.

3. Update your software regularly. Ransomware, like most malware threats, may sneak onto your PC through a known flaw in your operating system or other software programs. And hackers often rely on people running outdated software with those known vulnerabilities. You can definitely decrease the potential for ransomware if you make a practice of updating your software often.

4. Use a reputable security suite. It is always a good idea to have both anti-malware software and a firewall to help you identify threats or suspicious behavior. Malware authors often send out new variants, to try to avoid detection, which is why it’s important to have both layers of protection.

Anti-malware vendor Webroot provided this infographic that shows the prevalence of ransomware and the methods IT professionals use to deal with it.

Webroot Ransomwear infographic

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| October 30, 2014
Comments Off on 5 Spooky Ways PCs are Like Halloween

5 Spooky Ways PCs are Like Halloween

5 Spooky Ways PCs are Like HalloweenIt is Halloween time again and all kinds of ghosts, goblins, ghouls, vampires, zombies, and sexy Ebola nurses are on the loose. Don’t let these tricksters affect your computer. Here are several ways computers take part in the Halloween reveries.

  1. Ghosts – Everyone has seen it … things just happen… “I didn’t touch anything and all the data in my Excel is gone.”
  2. Computer zombiesZombies – Clicking on that “Check this out” Facebook (FB) link can turn your PC into a zombie. The fake link infects your computer and turns it into part of a zombie army. It has lost its mind and roams the interwebs attacking anything that its new master tells it to. Keep your patches and anti-malware up to date to defend against zombie attacks.
  3. Trick or Treat – The email from Aunt Sally says it has a video of a Kitty playing with a Ducky …. Does Aunt Sally call you for help opening an attachment? Does she still use AOL? Do you open the link? Is it a treat and Kitty is really playing with the Ducky? Or is it a trick and you just installed a virus? Only your anti-virus software knows for sure, update it now.
  4. Haunted houseCostumes – Every trick or treater knows masks are part of Halloween. Put a mask on your data as it travels across the Intertubes with encryption. With encryption, you put a mask on your data when you leave home and take the mask off when you get to your friend’s house.
  5. Vampires – You turn your computer off when you’re done with it right? Do you turn off your monitor? Your printer? Your cable box? If not you are the victim of power vampires. Power vampires suck electricity from your walls even after you turned off the PC.

Vampire power

You have been warned. Happy Haunting.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| September 25, 2014
Comments Off on Internet of Things Full of Holes

Internet of Things Full of Holes

Internet of Things Full of HolesThe Internet of Things, is big and heading towards huge. The Internet of Things (IoT) is a system where unique identifiers are assigned to objects, animals, or people. These “Things” then transfer data over a network without requiring human-to-human or human-to-computer interaction. Whatis.com says IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS), and the Internet.

Business Insider believes that the IoT will be the biggest thing since sliced bread. They claim there are 1.9 billion IoT devices today, and 9 billion by 2018, which roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined. Gartner (IT) predicts that there will be 26 billion IoT devices by 2020. Based on a recent article in InfoSecurity Magazine is a very scary thing.

BI Global IOT Installed Devie projectionsThe InfoSecurity article says HP (HPQ) found 70% of the most common IoT devices have security vulnerabilities. HP used its Fortify On Demand testing service to uncover security flaws. HP detected flaws in IoT devices like TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers as well as their cloud and mobile app elements according to the new study.

HP tested IoT devicesHP then tested them with manual and automated tools and assessed their security rating according to the vendor neutral OWASP Internet of Things Top 10 list of vulnerability areas. The author concludes that the results raised significant concerns about user privacy and the potential for attackers to exploit the devices and their cloud and app elements. Some of the results are:

  • A total of 250 security concerns were uncovered across all tested devices, which boils down to 25 on average per device,
  • 90% of devices collected at least one piece of personal information via the device, the cloud, or its mobile application,
  • 80% of devices studied allowed weak passwords like 1234 opening the door for WiFi-sniffing hackers,
  • 80% raised privacy concerns about the sheer amount of personal data being collected,
  • 70% of the devices analyzed failed to use encryption for communicating with the Internet and local network,
  • 60% had cross-site scripting or other flaws in their web interface vulnerable to a range of issues such as the Heartbleed SSL vulnerability, persistent XSS (cross-site scripting), poor session management and weak default credentials,
  • 60% didn’t use encryption when downloading software updates.

Mike Armistead, VP & General Manager, HP Fortify, explained that IoT opens avenues for attackers.

IoT opens avenues for the attackers.While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface … With the continued adoption of connected devices, it is more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.

HP urged device manufacturers to eliminate the “lower hanging fruit” of common vulnerabilities. They recommend manufacturers, “Implement security … so that security is automatically baked in to your product … Updates to your product’s software are extremely important.”

Antti Tikkanen, director of security response at F-Secure, told InfoSecurity said the problems HP uncovered in this report were just the tip of the iceberg for IoT security risks.

One problem that I see is that while people may be used to taking care of the security of their computers, they are used to having their toaster ‘just work’ and would not think of making sure the software is up-to-date and the firewall is configured correctly … At the same time, the criminals will definitely find ways to monetize the vulnerabilities. Your television may be mining for Bitcoins sooner than you think, and ransomware in your home automation system sounds surprisingly efficient for the bad guys.

rb-

I covered the threats that IoT or “smart” devices presented back in 2012. I don’t know where HP (or the rest of the security community) has been.

The current generation of “smart” devices does not seem to have any security. Most likely the manufacturer did not consider basic security or worse calculated it was better to ignore the secure design in their rush to gain market share.

It is also annoying that HP did not reveal the details on the products they tested.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »