IT Security Blog » Cryptography

The Hidden Writing

Teresa — Wed, 30 Nov 2011 00:55:50 +0000

Computer users are fairly familiar with encryption which is basically converting a readable information to what appears to be nonsense. Encryption is directly connected to the study of techniques for securing communication known as cryptology or cryptography. While cryptology aims for protection against adversaries that threaten confidentiality, authenticity, and integrity of data, encryption as we know it prevents unwanted people from getting hold of critical information through computer use. Decryption is about converting incomprehensible messages to their comprehensible form. The adversaries in this case are the cybercriminals who prey on weaknesses of computer passwords and laxness in electronic commerce.

In order to protect themselves, computer users have to maintain a certain degree of secrecy in their activities specifically in granting or withholding their approval for online transactions. Revealing too much personal information could pave the way for unwanted personalities to decipher protected passwords and codes. This is the reason why people are always reminded to be selective of what information to provide and to whom it is provided.

E-commerce usually makes use of the encryption protocol known as the Secure Sockets Layer (SSL). This is often seen in URLs starting with “https” instead of the typical “http”. Decryption is facilitated by the use of a “secret key”. Encryption also concerns itself in checking the trustworthiness of the source on any message.

Operating an online business will use e-commerce one way or the other. Encryption has made it possible for online businesses to be conducted. Without any secure means of financial transaction, very few customers will take the risk no matter how tempting the offer.

How Long Should Your Password Be

Saran — Tue, 30 Aug 2011 18:29:53 +0000

We all know the importance of having good and difficult passwords once we have access to a site or a network but one thing that many would have to consider would be the length. Others would want it short, but these are people who would not care of why they are given access. Others want it long normally something that they can easily remember such as their address or birthday. But how long should it be?

Traditionally, it should be at least 8 characters. Some are fine with 6 characters but for security reasons and avoiding hackers, it would be best to make it longer. A combination of alphanumeric characters would be better as it makes harder to crack for people who love to do mischief. So if this were the case, the potential combination would perhaps be your car plate number, bank account or even your driver’s license codes. With that in mind, you better make sure you also write it down and keep it in a safe place. This is in case you may forget it for some reason due to the tons of information you have stored up in your mind.

Regardless, a user should always make sure that the password he chooses is something he is familiar with. For most sites, we are asked to put secret questions to which we can answer for ourselves. But in choosing the right one, we must make sure that it is something only we know and not something that can be easily guessed by anyone. Failing to do so may put your access and credibility at risk.

Complacency – the IY industry’s Worst Enemy

Saran — Wed, 20 Jul 2011 12:49:34 +0000

This has been proven true by incidents broadcast around the world in minutes or hours after they have happened. Many have suffered the consequences of such incidents in the UK, US and mostly each and every place on earth where people have had their information taken and used for no good before there was even a sign that there was a problem.

Big business has been reminded again and again that complacency is it’s worst enemy and they have failed again and again at the area. Why? Well first, total protection is almost always imperfect and somebody out there with enough intent and resources can break-in however expensive the protection methods may be. Next is that the best systems for protection is always the ones that cost too much yet they still remain vulnerable and hackable. Contrary to most ad’s you see in print, the internet or your Television there is no one true solution to protection, for if the hardware and software measures succeed in protecting you, the human behind the computer/s are always the biggest risk. That is why even the most expensive solutions are used in conjunction with other solutions to provide the best of both worlds combining physical and software solutions hoping that combination will be enough protection from the continuous influx of attacks from the web and elsewhere. Encryption is nice but it takes a lot of computing power to implement making it too expensive for implementation on all levels of the company. All of these high-tech solutions and hardware would be nothing if the people using the various computer systems in the said organization fail to use them so the weakest link in every system is still the human. Strict adherence and compliance is the key with systems that process information somewhat autonomously already in use doing the searching and classification of information without the user’s input. This uses the latest in Artificial Intelligence with minimal intervention or input from the users.

Hashing Algorithms From A Cryptographic Perspective

Saran — Mon, 14 Jun 2010 10:33:29 +0000

With the news of collisions and reductions in attack complexity in both MD5, a commonly used algorithm for checksums on file downloads and integrity checkers, and SHA-1, a commonly used cryptographic hash algorithm in many encryption products, this brings up the question of where to go next, if you are implementing software which uses cryptographically strong hashing.

The SHA (Secure Hash Algorithm) family of algorithms, validated by NIST, and standard hash algorithms for cryptographic use, contains not only SHA-1 but an older algorithm called SHA-0, for which attacks have also been reported, and the SHA-2 family, which consists of SHA-224, SHA-256, SHA-384 and SHA-512, collectively.

SHA-256 forms a new minimum recommendation, in many cryptographers eyes, given the attacks on SHA-1. Whilst these attacks do not rule out SHA-1 for general use, in order for new software making use of hashing algorithms to be secure for the near future; perhaps a decade, it is important to prepare for the attacks on SHA-0 and SHA-1 becoming more feasible, especially as the cost of computing goes down, and the power continues to rise.

SHA-224, SHA-256, SHA-384 and SHA-512 are all named respective to the number of bits in the output hash. The more output bits, the harder it is to create a collision, in general, unless there is a weakness in the hash function itself, as has been found in SHA-0 and SHA-1.

Of course, the SHA-2 family are based on SHA-1, with slight differences in design and larger output, so it is possible that these have potential attacks also, but the size of the brute-force space is dramatically increased, and so these variants of the SHA family will withstand attack for longer, and should prove reliable for the near future.

Looking into the long term, few solutions exist currently that are not based on the SHA format. There are two main contenders, currently, in the form of the RIPEMD family, and the WHIRLPOOL family.

RIPEMD comes in the following flavours, in each case, the number represents the hash size in bits: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. RIPEMD-128 is a replacement for the original RIPEMD, which was found to have security issues, whereas the others all increase the output size, and therefore the associated security. Again, this family is based on a construct which has been proven susceptible to attacks in the past, so it is possible that the entire family could have weaknesses.

The other main alternative, WHIRLPOOL, has no known attacks, and has had two major changes to further improve its security.

WHIRLPOOL is a 512-bit hash function. The changes mentioned involve a change from a randomly generated s-box (substitution box) to one designed to be cryptopgrahically stronger, and also easier to implement in hardware, along with a change in the diffusion matrix.

Some leading cryptographers are calling for new cryptographic hash functions to be designed, perhaps in the same design-by-committee method as the AES encryption standard.

Cellphone Deals Here…and there…. What’s the catch?

Saran — Fri, 27 Feb 2009 15:27:51 +0000

Seems everybody is out for cheap deals on just about everything and who wouldn’t be in this recession where cash is hard to come by and jobs are being shed by the thousands. Now, there are truly some honest cell phone deals out there but you have to be sure you’re getting the right stuff. Having the latest phone gadget might be one thing but keeping that new phone secure from hacks is another. Sure you can get it cheap from the internet but how sure are you you’re getting the real stuff.
Criminals are becoming craftier than ever and they have even managed to copy branded products complete with all the security stickers and holographic security seals with them. They can also be pre-loaded with malware for the amount of computing power they pack is enough to emulate an ultraportable, in function that is. Just how dangerous are these hacking attempts, for mobile devices using Windows very dangerous for there is a group bent on exacting damage on the software giant.
ensuring you have the latest updates to your operating system is vital to maintaining your ability to fend off attacks. Having intrusion prevention systems installed is also a good thing for like your PC, they also need protection. Given the power of these gadgets and their ability to connect to the internet, they are not immune to attack. Let’s set this as an example, an unprotected PC connected to the internet for the first time will last an average of 15 minutes before it is hacked and compromised. Now you do the math for your mobile!

CitiBank ATM-Pin Breach

Saran — Wed, 04 Jun 2008 03:41:55 +0000

Citibank an arm of Citi Corp, has suffered a data breach in the form of 7-11 Store installed ATM machines which were broken into by hackers who got away with millions according to the report on Yahoo News. The three hackers have been found, arrested and are currently under custody as the case is further studied and discussed in the courtroom.
The problem happened when these hackers got through third-party computers who handled debit card account transactions taking all the information they needed that was enough for them to engage in online transactions without the need for physical contact with any ATM machine.
The problem is another case of lax data security which in terms of ATM pins are said to be the most secure of all bank information systems for the potential is horrendous in terms of loss.

“PINs were supposed be sacrosanct — what this shows is that PINs aren’t always encrypted like they’re supposed to be,” said Avivah Litan, a security analyst with the Gartner research firm. “The banks need much better fraud detection systems and much better authentication.”

This shows that even with the repetitive problems and incidents of identity theft not everybody is listening and taking action to protect their information, as in the case of Citi Corp., their third party providers should have had ample measures such as encryption, and redundant security measures to prevent such incidents from even happening. Citi Corp., being one of the biggest multi-national banks with accounts all over the world should have check and balance systems that ensures customer information is safeguarded from such intrusions which in this case is going to cost them millions of dollars. The company has relied so heavily on systems based on Microsoft Software technology which has received continuous attacks and this is just another addition to the types of attacks they suffer from hackers.

Encryption – Why people shun away from it even now? (Part 2)

Saran — Sun, 01 Jun 2008 03:39:49 +0000

If you happen to be a small or medium scale company that cannot afford multiple data stores and infinite numbers of mirrored hard drives, that becomes a problem. An encrypted hard disk in a laptop that gets banged up damaging the hard disk may still have some of the information intact enough for recovery but damage some of the vital keys and software and you are left hanging by a thread or down in the gutters. Data recovery is possible but only through expensive methods with the hard disks being opened up, the platters extracted and installed into another similar hard disk for data extraction. Only the military and federal government would have enough cash to burn in terms of data recovery at that level for the price is computed in the amount of megabytes recovered and on a per hard disk basis, and imagine a 1 terabyte drive at say $50/MB then you’d be scratching your head by now, and that’s just for a single drive.
The risks of identity theft and information leakage is real but the technology is still quite prone to failure even with today’s quad-core which is why we didn’t discuss the performance issue in the discussion. Today’s multi-core processors are capable of handling complex tasks such as real time encryption and decryption as if there was nothing happening on the background. The performance issue has been addressed by more powerful microprocessors but the reliability of the hard disks which stores the information and even the CD’s are still quite weak. Till there is more definite proof that all parts of the computer has reached such a reliable level that failure is a less of a factor more people would still retain their own proprietary security measures (birthday passwords, flash thumb drives that always get lost and physically carrying their discs with them).

Encryption – Why people shun away from it even now? (Part 1)

Saran — Wed, 28 May 2008 11:19:21 +0000

Encryption used to be the mainstay of military and other government agencies who need to secure the information they handled preventing anybody who may get access rendering the information useless. Everybody knows about it yet not many use it for the protection of their vital information stores, why? Well there are a hundred reasons why people mistrusts such an extreme measure as encrypting data and one is reliability of technology on which it is used on. Computers as we know have become cheaper and cheaper that has been good on one side but it also raises the risk of failure due to cheaper parts and higher risk for data loss due to failure. I know a lot of people would be going against me on this one but if you have experienced a hard disk crash during my many years of computer use and association with them in my previous line of work as a technical support supervisor, you’d know what I mean.
The technology we have today is of the highest level of quality and technological complexity of the computers I started to work with (386′s and 486′s) but the robustness of these gadgets and gizmos we call peripherals are still quite low except for the extreme types that are too expensive for the ordinary user to afford. Imagine a failed motherboard that has fried circuits, no problem for the hard disks are seldom affected by such incidents. Get the board out and swap it out and you connect the hard disk and you have your data available. Imagine you have a failure in the hard drive itself; you get some software and try to recover that information hoping you get enough of the sensitive files your boss needs in the morning. Now, imagine having a hard disk that was encrypted and had some of its sectors rendered useless, now that’s a nightmare for the encrypted data is useless with the key and the code stored into the hard disk itself.

Government Laptops and Computers get encrypted

Saran — Sun, 25 May 2008 10:43:32 +0000

Due to the recent problems associated with the loss of government laptops and security breaches such as the incident where the laptop of a Federal Trade Official was reported to have been compromised by reportedly Chinese operatives while on a trip overseas, the US Federal government has begun to encrypt their laptops in hopes of bolstering their security to prevent such security risks in the future. Let us just hope that they do it fast enough for no one wants to get their personal and financial information released online or obtained by enemies of the state (terrorists in layman’s terms). Of the estimated 2 million laptops the US government and the many agencies have, only 800,000 have had the encryption system developed by the Department of Defense and the General Services Administration.
Encryption is one of the most secure way pf keeping data safe from unauthorized access which renders them useless without the proper software or security keys. Comparable to the dial combination on a bank vault, the encryption process turns files onto a useless bundle of information that cannot be read or used for other purposes.
All this effort to boost security of information that is gathered and collated by the various agencies and even private businesses that have ties with the government though contracts have had their computers encrypted to ensure the information they handle and use stays secure and out of the hands of criminals who aim to use them against the government.

Paypal Boosts security

Saran — Mon, 28 Apr 2008 19:25:02 +0000

In efforts to boost security, Paypal, one of the premier internet online payment providers is moving to block users who use older browsers to prevent weaknesses that these browsers possess. They have found that many users online still use old Microsoft IE 3.0 and 4.0 which have ended their support life a long time ago hence they do not have the needed updated security updates that are necessary to conduct safe and secure online transactions with regards to payments and other related business. Paypal has had a lot of bad publicity with regards to phishing and infiltration where people intercept and go on fake bidding sprees just to get at the vital financial information that people usually share over the network. In hopes of boosting security, they will be using script detection to begin blocking users and that they do apologize for all the inconvenience this may cause the millions of users who may be affected by their move. This comes as the amount of identity theft and other crimes have increasingly entered their ranks ending in much stolen information that leads to credit card fraud. Being the biggest, they are the most viable target for such hackers and they are trying to boost security on that front of the deal.
This would hopefully prevent more cases from developing and that any new ones will be ‘nipped in the bud’ so to speak.
Paypal and eBay have offered select users with a distinct security keys using VeriSign passwords that is to be transmitted during payment transactions which aims to prevent interception of the transaction information as it travels through the internet. Unlike specific credit card transactions that travel through dedicated lines which are now slowly being protected by PCI-DSS for improved security, regular PC do not have that much security hardware installed to protect them from interception by hackers who could tap into the network getting all credit card information for illegal purchases.