With the news of collisions and reductions in attack complexity in both MD5, a commonly used algorithm for checksums on file downloads and integrity checkers, and SHA-1, a commonly used cryptographic hash algorithm in many encryption products, this brings up the question of where to go next, if you are implementing software which uses cryptographically strong hashing.

The SHA (Secure Hash Algorithm) family of algorithms, validated by NIST, and standard hash algorithms for cryptographic use, contains not only SHA-1 but an older algorithm called SHA-0, for which attacks have also been reported, and the SHA-2 family, which consists of SHA-224, SHA-256, SHA-384 and SHA-512, collectively.

SHA-256 forms a new minimum recommendation, in many cryptographers eyes, given the attacks on SHA-1. Whilst these attacks do not rule out SHA-1 for general use, in order for new software making use of hashing algorithms to be secure for the near future; perhaps a decade, it is important to prepare for the attacks on SHA-0 and SHA-1 becoming more feasible, especially as the cost of computing goes down, and the power continues to rise.

SHA-224, SHA-256, SHA-384 and SHA-512 are all named respective to the number of bits in the output hash. The more output bits, the harder it is to create a collision, in general, unless there is a weakness in the hash function itself, as has been found in SHA-0 and SHA-1.

Of course, the SHA-2 family are based on SHA-1, with slight differences in design and larger output, so it is possible that these have potential attacks also, but the size of the brute-force space is dramatically increased, and so these variants of the SHA family will withstand attack for longer, and should prove reliable for the near future.

Looking into the long term, few solutions exist currently that are not based on the SHA format. There are two main contenders, currently, in the form of the RIPEMD family, and the WHIRLPOOL family.

RIPEMD comes in the following flavours, in each case, the number represents the hash size in bits: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. RIPEMD-128 is a replacement for the original RIPEMD, which was found to have security issues, whereas the others all increase the output size, and therefore the associated security. Again, this family is based on a construct which has been proven susceptible to attacks in the past, so it is possible that the entire family could have weaknesses.

The other main alternative, WHIRLPOOL, has no known attacks, and has had two major changes to further improve its security.

WHIRLPOOL is a 512-bit hash function. The changes mentioned involve a change from a randomly generated s-box (substitution box) to one designed to be cryptopgrahically stronger, and also easier to implement in hardware, along with a change in the diffusion matrix.

Some leading cryptographers are calling for new cryptographic hash functions to be designed, perhaps in the same design-by-committee method as the AES encryption standard.

Tags: Cryptography

Categories: Cryptography

Leave a Comment

Seems everybody is out for cheap deals on just about everything and who wouldn’t be in this recession where cash is hard to come by and jobs are being shed by the thousands. Now, there are truly some honest cell phone deals out there but you have to be sure you’re getting the right stuff. Having the latest phone gadget might be one thing but keeping that new phone secure from hacks is another. Sure you can get it cheap from the internet but how sure are you you’re getting the real stuff.
Criminals are becoming craftier than ever and they have even managed to copy branded products complete with all the security stickers and holographic security seals with them. They can also be pre-loaded with malware for the amount of computing power they pack is enough to emulate an ultraportable, in function that is. Just how dangerous are these hacking attempts, for mobile devices using Windows very dangerous for there is a group bent on exacting damage on the software giant.
ensuring you have the latest updates to your operating system is vital to maintaining your ability to fend off attacks. Having intrusion prevention systems installed is also a good thing for like your PC, they also need protection. Given the power of these gadgets and their ability to connect to the internet, they are not immune to attack. Let’s set this as an example, an unprotected PC connected to the internet for the first time will last an average of 15 minutes before it is hacked and compromised. Now you do the math for your mobile!

Categories: Cryptography, E-mail, General, IM, IT Security Basics, Malware, News, Privacy & Anonymity, Real-World Issues, Spyware, Tips, Web browsers, Wireless Security

Leave a Comment

We all know the importance of having good and difficult passwords once we have access to a site or a network but one thing that many would have to consider would be the length. Others would want it short, but these are people who would not care of why they are given access. Others want it long normally something that they can easily remember such as their address or birthday. But how long should it be?

Traditionally, it should be at least 8 characters. Some are fine with 6 characters but for security reasons and avoiding hackers, it would be best to make it longer. A combination of alphanumeric characters would be better as it makes harder to crack for people who love to do mischief. So if this were the case, the potential combination would perhaps be your car plate number, bank account or even your driver’s license codes. With that in mind, you better make sure you also write it down and keep it in a safe place. This is in case you may forget it for some reason due to the tons of information you have stored up in your mind.

Regardless, a user should always make sure that the password he chooses is something he is familiar with. For most sites, we are asked to put secret questions to which we can answer for ourselves. But in choosing the right one, we must make sure that it is something only we know and not something that can be easily guessed by anyone. Failing to do so may put your access and credibility at risk.

Tags: encryption, passwords, security

Categories: Cryptography, Privacy & Anonymity

Leave a Comment

Citibank an arm of Citi Corp, has suffered a data breach in the form of 7-11 Store installed ATM machines which were broken into by hackers who got away with millions according to the report on Yahoo News. The three hackers have been found, arrested and are currently under custody as the case is further studied and discussed in the courtroom.
The problem happened when these hackers got through third-party computers who handled debit card account transactions taking all the information they needed that was enough for them to engage in online transactions without the need for physical contact with any ATM machine.
The problem is another case of lax data security which in terms of ATM pins are said to be the most secure of all bank information systems for the potential is horrendous in terms of loss.

“PINs were supposed be sacrosanct — what this shows is that PINs aren’t always encrypted like they’re supposed to be,” said Avivah Litan, a security analyst with the Gartner research firm. “The banks need much better fraud detection systems and much better authentication.”

This shows that even with the repetitive problems and incidents of identity theft not everybody is listening and taking action to protect their information, as in the case of Citi Corp., their third party providers should have had ample measures such as encryption, and redundant security measures to prevent such incidents from even happening. Citi Corp., being one of the biggest multi-national banks with accounts all over the world should have check and balance systems that ensures customer information is safeguarded from such intrusions which in this case is going to cost them millions of dollars. The company has relied so heavily on systems based on Microsoft Software technology which has received continuous attacks and this is just another addition to the types of attacks they suffer from hackers.

Tags: ATM's Hacked, ATM-Fraud, Citi Corp., Citibank

Categories: Backups, Cryptography, General, IT Security Basics, Network Security, News, Physical Security, Real-World Issues, Security Policies

Leave a Comment

If you happen to be a small or medium scale company that cannot afford multiple data stores and infinite numbers of mirrored hard drives, that becomes a problem. An encrypted hard disk in a laptop that gets banged up damaging the hard disk may still have some of the information intact enough for recovery but damage some of the vital keys and software and you are left hanging by a thread or down in the gutters. Data recovery is possible but only through expensive methods with the hard disks being opened up, the platters extracted and installed into another similar hard disk for data extraction. Only the military and federal government would have enough cash to burn in terms of data recovery at that level for the price is computed in the amount of megabytes recovered and on a per hard disk basis, and imagine a 1 terabyte drive at say $50/MB then you’d be scratching your head by now, and that’s just for a single drive.
The risks of identity theft and information leakage is real but the technology is still quite prone to failure even with today’s quad-core which is why we didn’t discuss the performance issue in the discussion. Today’s multi-core processors are capable of handling complex tasks such as real time encryption and decryption as if there was nothing happening on the background. The performance issue has been addressed by more powerful microprocessors but the reliability of the hard disks which stores the information and even the CD’s are still quite weak. Till there is more definite proof that all parts of the computer has reached such a reliable level that failure is a less of a factor more people would still retain their own proprietary security measures (birthday passwords, flash thumb drives that always get lost and physically carrying their discs with them).

Tags: encryption, Security Policies

Categories: Backups, Cryptography, General, IT Security Basics, Malware, Network Security, Operating Systems, Physical Security, Real-World Issues, Storage, Wireless Security

Leave a Comment

Encryption used to be the mainstay of military and other government agencies who need to secure the information they handled preventing anybody who may get access rendering the information useless. Everybody knows about it yet not many use it for the protection of their vital information stores, why? Well there are a hundred reasons why people mistrusts such an extreme measure as encrypting data and one is reliability of technology on which it is used on. Computers as we know have become cheaper and cheaper that has been good on one side but it also raises the risk of failure due to cheaper parts and higher risk for data loss due to failure. I know a lot of people would be going against me on this one but if you have experienced a hard disk crash during my many years of computer use and association with them in my previous line of work as a technical support supervisor, you’d know what I mean.
The technology we have today is of the highest level of quality and technological complexity of the computers I started to work with (386’s and 486’s) but the robustness of these gadgets and gizmos we call peripherals are still quite low except for the extreme types that are too expensive for the ordinary user to afford. Imagine a failed motherboard that has fried circuits, no problem for the hard disks are seldom affected by such incidents. Get the board out and swap it out and you connect the hard disk and you have your data available. Imagine you have a failure in the hard drive itself; you get some software and try to recover that information hoping you get enough of the sensitive files your boss needs in the morning. Now, imagine having a hard disk that was encrypted and had some of its sectors rendered useless, now that’s a nightmare for the encrypted data is useless with the key and the code stored into the hard disk itself.

Tags: data-recovery, data-security, encryption, Hard Disk Failure, hardware-failure, Risks

Categories: Cryptography, General, IT Security Basics, Real-World Issues, Storage

1 Comment

Due to the recent problems associated with the loss of government laptops and security breaches such as the incident where the laptop of a Federal Trade Official was reported to have been compromised by reportedly Chinese operatives while on a trip overseas, the US Federal government has begun to encrypt their laptops in hopes of bolstering their security to prevent such security risks in the future. Let us just hope that they do it fast enough for no one wants to get their personal and financial information released online or obtained by enemies of the state (terrorists in layman’s terms). Of the estimated 2 million laptops the US government and the many agencies have, only 800,000 have had the encryption system developed by the Department of Defense and the General Services Administration.
Encryption is one of the most secure way pf keeping data safe from unauthorized access which renders them useless without the proper software or security keys. Comparable to the dial combination on a bank vault, the encryption process turns files onto a useless bundle of information that cannot be read or used for other purposes.
All this effort to boost security of information that is gathered and collated by the various agencies and even private businesses that have ties with the government though contracts have had their computers encrypted to ensure the information they handle and use stays secure and out of the hands of criminals who aim to use them against the government.

Tags: data-encryption, data-security, encryption, Federal Government

Categories: Cryptography, General, IT Security Basics, Real-World Issues, Security Policies, Storage

Leave a Comment

In efforts to boost security, Paypal, one of the premier internet online payment providers is moving to block users who use older browsers to prevent weaknesses that these browsers possess. They have found that many users online still use old Microsoft IE 3.0 and 4.0 which have ended their support life a long time ago hence they do not have the needed updated security updates that are necessary to conduct safe and secure online transactions with regards to payments and other related business. Paypal has had a lot of bad publicity with regards to phishing and infiltration where people intercept and go on fake bidding sprees just to get at the vital financial information that people usually share over the network. In hopes of boosting security, they will be using script detection to begin blocking users and that they do apologize for all the inconvenience this may cause the millions of users who may be affected by their move. This comes as the amount of identity theft and other crimes have increasingly entered their ranks ending in much stolen information that leads to credit card fraud. Being the biggest, they are the most viable target for such hackers and they are trying to boost security on that front of the deal.
This would hopefully prevent more cases from developing and that any new ones will be ‘nipped in the bud’ so to speak.
Paypal and eBay have offered select users with a distinct security keys using VeriSign passwords that is to be transmitted during payment transactions which aims to prevent interception of the transaction information as it travels through the internet. Unlike specific credit card transactions that travel through dedicated lines which are now slowly being protected by PCI-DSS for improved security, regular PC do not have that much security hardware installed to protect them from interception by hackers who could tap into the network getting all credit card information for illegal purchases.

Tags: encryption, Paswords, PayPal, PCI-DSS, VeriSign

Categories: Cryptography, General, IT Security Basics, Malware, Network Security, News, Privacy & Anonymity, Real-World Issues, Security Policies, Spyware

Leave a Comment

Experts have said it again and again and history has shown us that money is the root of all evil and so it goes the same for the development and eventual spread of more sophisticated malware intended for the ever growing mobile computing environment. Current malware is simple yet experts are warning users and other experts alike that it would only be time before some hacker develops a more robust and discreet form of malware that would circumvent standard virus scanners. As we have seen and read in news articles, these viruses, Trojans and other forms of malware are evolving so fast that removal and detection experts are finding it very hard to get one step ahead of them. In the time it takes to read this post, about 35 or so new types of malware would have been released into the wild to infect any of the millions of unprotected systems over the internet. The problem has gone into the pandemic stage that no system is safe for long. The soonest a new and more robust intrusion prevention and security system is in place, several new vulnerabilities in the computer systems we use are found and immediately exploited by hackers and their minion.
Economics or the promise of earning a buck from such malware creation and spreading is the major motivation for hackers. Say you get into the cell phone of your favorite Celebrity and get hold of private pictures, or get hold of a confidential report which lists the amount of funds along with the corresponding account information and much more information that one can sell quite profitably over the internet.

Tags: Malware, Mobile Malware Threat, viruses

Categories: Cryptography, General, IM, IT Security Basics, Instant Messaging, Malware, Network Security, News, Operating Systems, Real-World Issues, Security Policies, Spyware

Leave a Comment

In another addition to the UK government’s growing list of information security blunders, a data CD which was found labeled as coming form the UK Government’s Home Office Branch, was found lodged inside a laptop bought over the internet from eBay. Yes, bought online which at first was kind of funny for the laptop engineers who handled the device after it was brought in by a customer for repairs. The un-named customer apparently won the online bidding for the laptop and took it for repair to Leapfrog computers for repairs. The technicians found the disk crammed in between the keyboard panel and the main board and thought of it trivially till they read the words, “Home Office Confidential”. The seriousness of the situation arose when technicians found the laptop hard drive and the disk itself to be encrypted rendering the information stored within it un-readable. They immediately called the police which dispatched anti-terrorism units to recover the government laptop and took it to the Greater Manchester Police Headquarters for safe keeping.

These types of incidents are not unusual which began last year when on Nov 20, 25 million people and 7.2 million families had gone missing which had information such as names, addresses, dates of birth, child benefit numbers, national insurance numbers and bank and social security details. The Department of the Environment on the 11th of December, lost two computer disks containing names and addresses of 7,685 learner Northern Ireland motorists. On the same day, confidential information regarding dozens of prisoners/inmates released to private businesses. On Dec 11, a company union claimed that personal information of hundreds of members were sent to four companies by health authority employers. Unite said Sefton Primary Care Trust released data including names, dates of birth, salary, pension and national insurance numbers of 1,800 employees. On Dec 18, records of 3 million learner drivers’ information were lost when a hard disk which was sent to the US for maintenance was lost during processing. The HM Revenue and Customs Service lost 6,500 customers of private pension firms were lost contained within a computer cartridge. The NHS trust, lost patient information of 168,000 people and lastly, the Police records from Devon and Cornwall were found in a dump by a man looking for spare parts for computers who was going through scrap equipment.

Such incidents are alarming and very dangerous for some of the lost information were not even encrypted. The one they found within the laptop was encrypted but given time, a computer expert with no good intentions could theoretically have broken the code exposing sensitive information into the unknown. These are some of the ones that are publicly known and as it shows, the UK Government might want to shore up it’s strategy of safeguarding information for the public and it’s own sake.

Tags: Confidential Disk, eBay, UK Home Office

Categories: Cryptography, General, IT Security Basics, News, Real-World Issues, Security Policies

Leave a Comment