encryption

Waited too long

Wed, 07 Jan 2009 09:44:44 -0500

VeriSign and others new the MD5 algorithm was not strong enough to use, but they chose to wait. Now when the exploit is known they cry foul that the researchers did not notify them before going public.

Resources for Incident Handling

Matthew Nickasch — Mon, 24 Nov 2008 07:59:24 -0500

Security incident handling, after many years of exposure, is still one of those 'sticky' subjects that can get any organization in a lot of trouble. Other than phreaking and other switch or voicemail-related mischief, the rather isolated telecommunications networks of yesterday aren't nearly as susceptible to the coordinated attacks that plague servers, routers, and UC and IP-PBX platforms these days.

Read more

Quantum Computing: cryptographic challenges, but no end for security

Noah Schiffman — Thu, 13 Nov 2008 23:56:18 -0500

Examination of the technical evolution within several industries reveals an approaching precipice of scientific change. The glacially paced, but inevitable convergence of quantum mechanics, nanotechnology, computer science, and applied mathematics, will revolutionize modern technology. The implications of such change will be far reaching, with one of its greatest impacts affecting information security. More specifically, that of modern cryptography.

Read more

The Trouble with IPsec VPNs, Part#3: IKE Phase 1 Success

Mark_Lewis — Mon, 27 Oct 2008 11:37:26 -0400

I have surfaced again after a busy few weeks - and I can finally continue my description of IPsec VPN troubleshooting (sorry about the delay). This time I'll take a closer look at IKE Phase 1 (main mode) troubleshooting.

Before getting into an analysis of specific problems that can occur with IKE Phase 1, it's a good idea to use the debug crypto isakmp command to examine an example of successful IKE Phase 1 negotiation. This negotiation takes place between two IPsec VPN gateways called Tokyo and Osaka:

Read more

Securing the Line Part 5 - Media Encryption

Matthew Nickasch — Tue, 02 Sep 2008 17:12:31 -0400

As discussed earlier, VLANs, ACLs, and firewall policies are extremely important components to any converged network security architecture. However, what these methods do not secure is the content within each call or conversation. The industry is moving towards securing each media path used for voice, video, and data communication. Even internally, there are many threats that may potentially compromise the content within the packets transmitted over an IP network.

Read more

Encryption tool-tip

Wed, 27 Aug 2008 05:04:46 -0400

Thanks for a good article. If you are looking for a simple-free-email encryption solution, try Flexcrypt. Flexcrypt does not have a policy-component, the user decides what and when to encrypt, a good alternative for smaller organizations with a limited budget. http://www.flexcrypt.com Have a nice day. /Ralf

Introducing "Securing the Line"

Matthew Nickasch — Thu, 21 Aug 2008 10:08:38 -0400

We're all familiar with the common security concerns with deploying an IP Telephony environment. Tomorrow, I'm launching a large 10-part series on improving VoIP and telecom security in an enterprise environment.

Read more

The Threat That Lies Within

Matthew Nickasch — Wed, 30 Jul 2008 07:32:35 -0400

Just like any other technology, the idea of the "converged network" and related applications often come under some sort of fire, whether it be cost, functionality, or security. Users and those who deploy the technologies must then evaluate whether or not these stumbling blocks are indeed deal breakers. It's common for system engineers and network managers to focus on "outside facing" or WAN-side security threats, But, what is often underscored is the threat that lies within. With any new technology development, it's common to fixate on certain problems and certain solutions. Suddenly, there's a panic from end users frantically asking if they're immune to the SQL Slammer, at risk for malware, or could have their conversations monitored on the new IP phone system.

Read more

Lots of excuses, little use of encryption on government mobile computers

Layer 8 — Wed, 30 Jul 2008 01:36:14 -0400

Generally available encryption technologies could help some notoriously data-leaky federal agencies protect sensitive information - if they used it.

Read more

Yes, you should encrypt your drives…

tkopczynski — Tue, 29 Jul 2008 00:12:01 -0400

Yup, I can agree with that statement... After all, I consider FDE as a default pillar in any good information loss protection framework.

Yet for some reason, it seems that most IT shops have now become entranced within the data loss protection (DLP) hype. Thus, DLP has now become everyone's favorite silver bullet. And, a lot of DLP companies are preying on this fallacy by pushing their products as end-all solutions to IT shops desperately seeking to fulfill, regulatory compliance needs, an executives whim, or even possibly used to correct holes found after their latest security incident.

Read more

The Reversible Denial-of-Resource CryptoViral Extortion Attack

Noah Schiffman — Wed, 25 Jun 2008 22:57:59 -0400

Ransomware, although somewhat appropriately nicknamed, as it takes your data hostage demanding money for its release, has always implied an unnecessary emotional component. It is unforgivably insensitive to compare this to any type of real world ransom regarding human life. Furthermore, there are no "proof of life" concepts, such as sending back a "pinky" of data or letting you briefly see that your data is being safely kept in a Linux environment.

Read more

Do some more research

Tue, 03 Jun 2008 14:56:11 -0400

If you google this new encryption pack from At&T it isn't anything more than grouping together existing encryption services that have been on the market for a while. They are also using encryption methods that have been hacked and have had exposed flaws. To me I am still not sure why people keep feeding us the consumers junk about increased safety when it isn't increased just repackaged a different way. They need to look into some of these new cypher bit encryptions at are fresh to the market possessing new algorithms that haven't been hacked. There are many but you won't find them with companies like Cisco, Microsoft, or At&T. I saw a company on a press release called DreamStream.

Read more

Adhering to standards while Protecting your Clients

Thu, 22 May 2008 16:41:03 -0400

Capturing an encrypted file only poses a problem if the encryption has been hacked. There are multiple solutions on the market today that team encryption with different perks that tailor to this sort of thing. DreamStream is one of leaders in this type of out of the box technology. They aren't as big as Cisco or some of the other security companies but they possess the ability to transfer encrypted files that are only visible as white noise, which would help in the solution as well as there encryption possess a time sensitive 2,048 bit key embedded in a military strength encryption. The solutions are there that is not the problem, it is the Corporate mindset of spending the money to change the systems that they currently have. Even though they say they want to they don't.

Read more

Why Kerberos…

tkopczynski — Fri, 16 May 2008 01:49:35 -0400

It seems that everyone's favorite Kerberos Consortium (also known as the MIT Kerberos Consortium) has just released a new white paper titled: Why is Kerberos a credible security solution? I briefly read through it tonight, and I must say, it's a really good attempt at summarizing the benefits of Kerberos over other authentication technologies or methodologies.

Read more

This will be hacked too

Tue, 22 Apr 2008 13:52:19 -0400

The problem still is what is the length of the key, and does it change. With the right amount of computers hacking a 128 key or 256 bit key is still pretty easy. This doesn't seem to solve anything. You need a new encryption to use your new method with that hasn't been hacked. You need multiple different user ID's that use different time sensitive keys. Things that are constantly changing and mathematically impossible to hack using brute force. This solution still doesn't even come close to the Http://www.dreamstream.info solution of the BES encryption. That is out today and this one we will have to wait for? How does this help my companies infrastructure over theirs? This seems easier to hack?

Sounds (almost) worthless

Mon, 07 Apr 2008 09:02:11 -0400

If the encryption key is in the drive, a sufficiently determined attacker will get it.

RFID SmartCard encryption cracked by researchers

Alpha Doggs — Thu, 06 Mar 2008 15:30:36 -0500

New research that shows smart cards with encrypted RFID chips might not be as secure as previously thought is raising concerns in Boston, where the subway CharlieCards use just such technology. The research raises the specter of thieves with $1,000 worth of equipment cracking smart card encryption and making counterfeit cards to do everything from swipe fares to gain access to high-security areas.

Read more

RE: Disk encryption easily cracked, researchers find

Fri, 22 Feb 2008 03:04:01 -0500

Right, and a thief is supposed to be able to do all this within seconds of stealing a computer? I think I'd be more worried about aliens probing my mind for the password, it's probably more likely to happen.

RE: Encryption could make you more vulnerable, warn experts

Tue, 12 Feb 2008 16:51:26 -0500

I have never read such nonsense. How is potential of attack on key server worse than not protecting data at all? The lack of logical thought is mind-numbing. The only real risk mentioned in this article is being locked out of data forever if the keys are destroyed. To avoid such disaster smart people implement key recovery system when they deploy encryption. Please THINK critically before you write.

Kanguru toughens up secure USB drive

Keith Shaw — Tue, 05 Feb 2008 12:38:01 -0500

Kanguru Solutions has upgraded its KanguruDefender line of USB secure flash drives, enhancing the performance and security of the device. The KanguruDefender Pro is designed for government, military and secure enterprise applications with rugged and security features. The new version includes hardware-based AES encryption and a rugged, tamper-proof aluminum casing. The hardware-based encryption provides faster transfer speeds than software-based encryption, and also means that no administration rights are needed to install the drives, easing installation for IT managers. Customization optiosn are also available, including unique identifiers, serialization and security colors, Kanguru says. The casing is designed to make it impossible to remove the device's chip without it breaking, rendering it unreadable, the company says. A unique ID can also be put onto the drive for use with endpoint security applications, which lets IT managers create white lists, as well as track and monitor the drives. Device capacity ranges from 1GB ($64.95) to 4GB ($124.95), and different colors are available. More details are available at the Kanguru Web site.

Read more