Cybersecurity in the age of "Surveillance"

How to assure that your network and its data are being guarded by a trusted partner?

The collection of information generated from the online activities of citizens, by both private and public interests, has become so widespread and pervasive that it has prompted several social commentators to label today’s digital-defined culture as “The Surveillance Age.”

The fact that nearly every sovereign state with the means is conducting high-tech surveillance programs, a practice that is considered by most to be integral to national security and ensuring the safety of the state and its citizens. For many observers, the most disconcerting component of the recently exposed data-collection activities of the National Security Agency was tied to multiple U.S. companies may have cooperated in the surveillance activities.

The possibility that trusted businesses could be leaving digital backdoors through which sensitive information could slip has cast a chill across both consumer and professional market sectors. This issue is not for us to speculate here; however, given the interest it has attracted, it would be valuable to share some fundamental information about mobile security, as well as some guidance to assure that your network and its data are being guarded by a trusted partner.

A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness, or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy

It’s important to note that encryption technologies differ significantly in the degrees of protection they offer. To gain a deeper understanding of encryption requires an introduction to a few esoteric cryptography terms. One of those terms is entropy, which plays a significant role in determining the effectiveness of a modern encryption system. At a very high level, entropy is a measure of how much randomness you have. Simply put, the more entropy you have the more effective your encryption can be. Consider the differences between seeking a needle in a haystack and looking for one hidden in an acre’s worth of haystacks. The procedures are essentially the same; it’s the level of difficulty and complexity that differs substantially between the two scenarios. 

Any discussion related to digital intrusion or surveillance has to include spyware, which is a form of malware. Businesses or organizations using mobile devices that have open development platforms are especially susceptible to attempts to exploit users through spyware. It is also a favorite tool of cyber criminals, who are increasingly targeting mobile devices as access points into the confidential data of organizations for purposes that range from nuisance to nefarious. 

Disguised within a consumer application, malware can be used to gain access to personal information, for anything from marketing to identity theft to compromising corporate data. This real and growing threat requires security solutions that properly safeguard the privacy of governments, enterprise workers, and individual users.

The fact that the number and utility of mobile devices will only increase means that the boundaries of the modern organization are being stretched to include hundreds or even thousands of mobile end points possessing access to the most precious assets, such as intellectual property and other sensitive information.

Security in this environment cannot be an afterthought. It must be built in at every layer -- hardware, software, and network infrastructure -- to ensure end-to-end protection. With the stakes so high in “The Surveillance Age,” it’s imperative that you demand "confidentiality & integrity" commitment from every partner you trust with your information.

Think someone may be reading your emails?

Encrypt them, and they can't

Are you sending confidential information in your email, text and instant messages? If so, you could be exposing it to a lot of peeping eyes...and they may decide to do bad things with it!

Here are some ways to encrypt your digital messages:

• In Outlook, within your message, go to File, Properties, Security Settings, and click the box for "Encrypt message contents and attachments."
  
• If you use some type of webmail, most good ones offer SSL as a security option; use it. It encrypts the messages *while they are traveling through the Internet.*
  
  However, it is not the same as encrypting the message itself. Your messages are still in clear text within the mail box storage, and when forwarded elsewhere not using an SSL-encrypted transmission method.
  
• For webmail, consider getting an add-on tool, such as Armacrypt.
  
• Another email option is Hushmail.
  
• Consider using an up-to-date version of PGP.
  
• Here's a pretty good discussion of encrypting text messages on Android devices.
  
• Here are some smartphone encryption apps to consider.

Useful TIP! Don't send any sensitive or confidential information using social network messaging systems, such as Facebook mail. While you can have the *connection* (meaning while it is traveling from you to your recipient) encrypted using SSL, it does not encrypt the message itself, leaving it in clear text within the many Facebook repositories.

Apple has released IOS Security

Apple IOS Security


Apple normally stays very quiet when it comes to discussing the security mechanisms of its products. Apple has released a document that will make life a little easier for anyone responsible for securing iOS devices.


The document, titled iOS Security, provides details on the system architecture, encryption and data protection, network security features and device access for iOS devices. If you develop policies and/or mechanisms for BYOD security, this is recommended reading. 


From the Apple iOS Security document:


“This document provides details about how security technology and features are implemented within the iOS platform. It also outlines key elements that organizations should understand when evaluating or deploying iOS devices on their networks.”


System architecture: The secure platform and hardware foundations of iPhone, iPad, and iPod touch.


Encryption and Data Protection: The architecture and design that protects the user’s data when the device is lost or stolen, or when an unauthorized person attempts to use or modify it.


Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.


Device access: Methods that prevent unauthorized use of the device and enable it to be remotely wiped if lost or stolen.”

Is Apple now recognizing the growing threats their products face? Prior to this, security researchers have traditionally had to rely on reverse engineering Apple’s products to better understand their security mechanisms.


Refer here to download the document from Apple website.

Smartphone Security

5 Tips To Secure Your Smart Phone!

Smartphones are wonderful, yet rife with privacy pitfalls. Here are five quick tips for making your device less prone to a hacker attack.

1. Do not download apps from unknown sources. Only download those from the official app stores sponsored by the smartphone manufacturers, as they are typically more secure.
   
   
2. Control your location settings. To make your location as protected as possible, turn off all location assessment options.
   
   
3. Before installing an app, be sure to read the Permissions screen. Note where your data is going to be stored. The most secure apps are those that only store data on your device, or store a minimal amount on the vendor systems, and those from vendors that do not share your app data with third parties.
   
   
4. When you no longer use an app, remove it from your phone. An app-happy friend recently realized she had more than 185 unused apps on her device - many of which were tracking her whereabouts.
   
   
5. Encrypt your smartphone data. Many apps inspect your smartphone data storage areas, and the unscrupulous ones will copy what they find interesting and/or valuable.

SNC Client Encryption Now Available Free of Charge for SAP NetWeaver Customers

Secure Network Communication Client Encryption

SNC (Secure Network Communication) Client Encryption is an optional feature for SAP GUI and the SAP NetWeaver technology platform. This software component enables users to protect communications between SAP GUI and the SAP Application Server ABAP using symmetric encryption algorithms.

It also offers encryption of business data for RFC (Remote Function Call) clients, such as the BEx Query Designer. SNC Client Encryption is based on Microsoft Kerberos technology; it does not offer single sign-on capabilities.

For detailed information, please refer to SAP Note 1643878. The software is available for download on the SAP Service Marketplace (login required): https://service.sap.com/swdc, then select Installations and Upgrades.

Ten little things to secure your online presence

Life online can be a bit of a minefield, especially when it comes to avoiding malicious hacker attacks.

Here’s some basic advice on the tools and tricks you can implement immediately to secure your identity and online presence.

You’ve all heard the basic advice — use a fully updated anti-malware product, apply all patches for operating system and desktop software, avoid surfing to darker parts of the Web, etc. etc.

Those are all important but there are a few additional things you can do to secure your online presence and keep hackers at bay. Here are 10 little things that can provide big value:

1. Use a Password Manager

Password managers have emerged as an important utility to manage the mess of creating strong, unique passwords for multiple online accounts. This helps you get around password-reuse (a basic weakness in the identity theft ecosystem) and because they integrate directly with Web browsers, password managers will automatically save and fill website login forms and securely organize your life online.

Some of the better ones include LastPass, KeePass, 1Password, Stenagos and Kaspersky Password Manager. Trust me, once you invest in a Password Manager, your life online will be a complete breeze and the security benefits will be immeasurable.

2. Turn on GMail two-step verification

Google’s two-step verification for GMail accounts is an invaluable tool to make sure no one is logging into your e-mail account without your knowledge. It basically works like the two-factor authentication you see at banking sites and use text-messages sent to your phone to verify that you are indeed trying to log into your GMail. It takes a about 10-minutes to set up and can be found at the top of your Google Accounts Settings page. Turn it on and set it up now.

While you’re there, you might want to check the forwarding and delegation settings in your account to make sure your email is being directed properly. It’s also important to periodically check for unusual access or activity in your account. You can see the last account activity recorded at the bottom of GMail page, including the most recent IP addresses accessing the account.

3. Switch to Google Chrome and install KB SSL Enforcer

With sandboxing, safe browsing and the silent patching (auto-updates), Google Chrome’s security features make it the best option when compared to the other main browsers. I’d also like to emphasize Google’s security team’s speed at fixing known issues, a scenario that puts it way ahead of rivals.

Once you’ve switched to Chrome, your next move is to install the KB SSL Enforcer extension, which forces encrypted browsing wherever possible. The extension automatically detects if a site supports SSL (TLS) and redirects the browser session to that encrypted session. Very, very valuable.

4. Use a VPN everywhere

If you’re in the habit of checking e-mails or Facebook status updates in coffee shops or on public WiFi networks, it’s important that you user a virtual private network (VPN) to encrypt your activity and keep private data out of the hands of malicious hackers.

The video above explains all you need to know about the value of VPNs and how to set it up to authenticate and encrypt your web sessions. If you use public computers, consider using a portable VPN application that can run off a USB drive.

5. Full Disk Encryption

The Electronic Frontier Foundation (EFF) has made this a resolution for 2012 and I’d like to echo this call for computer users to adopt full disk encryption to protect your private data. Full disk encryption uses mathematical techniques to scramble data so it is unintelligible without the right key.

This works independently of the policies configured in the operating system software. A different operating system or computer cannot just decide to allow access, because no computer or software can make any sense of the data without access to the right key. Without encryption, forensic software can easily be used to bypass an account password and read all the files on your computer.

Here’s a useful primer on disk encryption and why it might be the most important investment you can make in your data. Windows users have access to Microsoft BitLocker while TrueCrypt provides the most cross-platform compatibility.

6. Routine Backups

If you ever went through the sudden death of a computer or the loss of a laptop while travelling, then you know the pain of losing all your data. Get into the habit of automatically saving the contents of your machine to an external hard drive or to a secure online service.

Services like Mozy, Carbonite or iDrive can be used to back up everyone — from files to music to photos — or you can simply invest in an external hard drive and routinely back up all the stuff you can’t afford to lose. For Windows users, here’s an awesome cheat sheet from Microsoft.

7. Kill Java

Oracle Sun’s Java has bypassed Adobe software as the most targeted by hackers using exploit kits. There’s a very simple workaround for this: Immediately uninstall Java from your machine. Chances are you don’t need it and you probably won’t miss it unless you’re using a very specific application. Removing Java will significantly reduce the attack surface and save you from all these annoying checked-by-default bundles that Sun tries to sneak onto your computer.

8. Upgrade to Adobe Reader X

Adobe’s PDF Reader is still a high-value target for skilled, organized hacking groups so it’s important to make sure you are running the latest and greatest version of the software. Adobe Reader and Acrobat X contains Protected Mode, a sandbox technology that serves as a major deterrent to malicious exploits.

According to Adobe security chief Brad Arkin says the company has not yet been a single piece of malware identified that is effective against a version X install. This is significant. Update immediately. If you still distrust Adobe’s software, you may consider switching to an alternative product.

9. Common sense on social networks

Facebook and Twitter have become online utilities and, as expected, the popular social networks are a happy hunting ground for cyber-criminals. I strongly recommend against using Facebook because the company has no respect or regard for user privacy but, if you can’t afford to opt out of the social narrative, it’s important to always use common sense on social networks.

Do not post anything sensitive or overly revealing because your privacy is never guaranteed. Pay special attention to the rudimentary security features and try to avoid clicking on strange video or links to news items that can lead to social engineering attacks. Again, common sense please.

10. Don’t forget the basics

None of the tips above would be meaningful if you forget the basics. For starters, enable Windows Automatic Updates to ensure operating system patches are applied in a timely manner. Use a reputable anti-malware product and make sure it’s always fully updated.

Don’t forget about security patches for third-party software products (Secunia CSI can help with this). When installing software, go slowly and look carefully at pre-checked boxes that may add unwanted crap to your machine. One last thing: Go through your control panel and uninstall software that you don’t or won’t use.

Signcryption: New Technology & Standard to improve Cyber Security

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

How-to encrypt and password protect your personal folders & files in Windows and Mac

TrueCrypt - Free Open-Source Disk Encryption Software

You can’t easily password protect folders or files in Windows / MAC yet, but you can remove the permissions for users or use TrueCrypt to create mountable encrypted containers that can only be accessed with the correct password.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention.

No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Encryption does not mean it has to be slow or difficult. In fact, TrueCrypt makes it really fast and you can access all files as if they were unencrypted. Here is how you can do it:

1. Download TrueCrypt from http://www.truecrypt.org/downloads (latest stable 7.1 09/26/11)
   
   
2. When you install TrueCrypt select Extract files, this will extract the program without actually installing it.
   
   
3. Now start the TrueCrypt.exe
   
   
4. Click on Create New Volume and this screen will pop up:
   
   
   
   
   
5. Select Standard for now
   
   
6. Find a place for your encrypted container. Think of it as a real file that is password-protected. Store it for example here: C:\Users\yourusername\Desktop
   

   

   Make sure you have enough disk space.

7. Select an algorithm. Don’t know what to choose? Use the default!
   
   
8. Enter a size for the encrypted container.
   
   
9. Set a password for your encrypted container. Don’t make your password too short or it will be easy to crack
   
   
10. Move your mouse for some time to get a good encryption and click on Format
    
    
    
11. Back on the TrueCrypt main screen, enter the path to your encrypted container (or click on Select file and browse to it)
    
    
12. Finally click on Mount, you can now access your encrypted password-protected container like any other hard drive via the explorer! Awesome? It is!

There are various other methods to password protect and encrypt folders. However, TrueCrypt is the best free solution and using the to effectively protect your private folders.

If you need more protection, simply create an encrypted container and store your files on a flash drive. Flash drives with 8GB or more are cheap and can be used to store all your private files. You could also use an external USB hard drive for storing the password-protected encrypted folders.

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:

1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.
   
   Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.
   
   
2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.
   
   Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.
   
   
3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
   
   This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.
   
   
4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.
   
   The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.
   
   
5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.
   
   In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.
   
   
6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.
   
   The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.
   
   
7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.
   
   The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.
   
   
8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
   
   
9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.
   
   Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.
   
   
10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.
    
    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

PCI Council issues PCI tokenization compliance guidance

PCI tokenization document mirrors the Visa Best Practices for Tokenization

Using tokenization technology to eliminate credit card data can reduce the scope of a Payment Card Industry Data Security Standard assessment, but merchants must be careful to avoid many pitfalls associated with the technology, according to a new report issued today by the PCI Security Standards Council.

The long-awaited PCI DSS Tokenization Guidelines outline how tokens can be used in merchant systems and ways to properly deploy the technology, which substitutes tokens in place of primary account numbers (PANs) to limit the movement of cardholder data in the environment. A properly deployed system in certain merchant environments can “potentially” reduce the merchant’s effort to implement PCI DSS requirements, according to the report.

The tokenization document mirrors the Visa Best Practices for Tokenization report, which was issued last summer. Tokens used within merchant analytical systems and payment applications may not need the same level of security protection.

Security analysis of Dutch smart metering systems

Smart metering must offer a security level as high as for money transfers - Dutch minister of Economic Affairs

Smart meters enable utility companies to automatically readout metering data and to give consumers insight in their energy usage, which should lead to a reduction of energy usage. To regulate smart meter functionality the Dutch government commissioned the NEN to create a Dutch standard for smart meters which resulted in the NTA-8130 specification.

Currently the Dutch grid operators are experimenting with smart meters in various pilot projects. In this project we have analyzed the current smart meter implementations and the NTA using an abstract model based on the the CIA-triad (Confidentiality, Integrity and Availability). It is important that no information can be attained by unauthorized parties, that smart meters cannot be tampered with and that suppliers get correct metering data.

It was concluded that the NTA is not specific enough about the security requirements of smart meters, which leaves this open for interpretation by manufacturers and grid operators. Suppliers do not take the privacy aspect of the consumer data seriously. Customers can only get their usage information through poorly secured websites. The communication channel for local meter configuration is not secured sufficiently: consumers might even be able to reconfigure their own meters.

Also, the communication channels that are used between the smart meter and gas or water meter are often not sufficiently protected against data manipulation. It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

Refer here to download the full report.

Microsoft BitLocker Administration and Monitoring (MBAM)

Enterprise solution which streamlines management

According to Microsoft, organizations around the world rely on BitLocker Drive Encryption and BitLocker To Go to protect data on Windows 7 PCs and portable storage devices. To make large-scale BitLocker implementations easier to manage, enterprises turn to Microsoft® BitLocker® Administration and Monitoring (MBAM).

Microsoft BitLocker Administration and Monitoring, enhances BitLocker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs.

Simplify BitLocker provisioning and deployment

Microsoft BitLocker Administration and Monitoring can provision BitLocker as part of your Windows 7 upgrade or configure BitLocker deployment to take place after the operating system is installed. Using the additional Group Policy controls in MBAM, it is easier for IT to provision BitLocker specific to their business needs. The controls are checked regularly at intervals set by an IT administrator and any changes are immediately infused.

Additionally, the hardware-blocking feature can be used to identify BitLocker-capable computers and exclude specific hardware that you don’t want encrypted.

Improve compliance

With out-of-box reports that detail compliance with corporate-defined BitLocker policies can get a better view of your compliance status for the organization or individual devices, and easily determine if lost or stolen devices were encrypted. IT staff can also create custom compliance reports using built-in SQL Server Reporting Services tools to show them just the information that they need to see.

MBAM also provides the ability to store BitLocker recovery keys in an encrypted database with granular access controls and creates an audit trail of who has accessed recovery key information, keeping this information protected and only accessible to the right people in the organization.

Reduce support costs
By reducing the burden on IT staff and making it easier for them to support end users, MBAM helps to reduce the support costs and gets the end users up and running quickly if a problem arises.

With a secure, web-based key recovery portal, it is easy for authorized help-desk staff to support end users if they need to recover their BitLocker enabled machine. By automating pre-BitLocker setup steps and making it easy for end users to perform basic tasks such as starting the encryption process and managing their BitLocker PIN—without providing users with administrator rights.

MBAM will be available in Q3 2011 and a beta version of Microsoft BitLocker Administration and Monitoring is now available for download here (Windows Live ID required).

Encryption: Neither improves security postures nor decreases risk?

Outsourcers blamed for most data breaches in Australia

Australian IT managers have shunned platform-based encryption technology, claiming that it neither improves security postures nor decreases risk, according to a Ponemon Institute survey

The survey on encryption trends was funded by Symantec. It polled 477 Australian IT professionals with an average of nine years IT security experience who worked in roles that “directly implemented encryption technologies”.

Eighty-eight percent had “declining impressions” of the ability of platform-based encryption to improve the “effectiveness and efficiency” of IT security.

But most of the 21 percent who used platform-based encryption said it improved security.

Of those using the technology, most said it reduced operational costs and redundant administrative tasks, and provided consistent policy enforcement across applications.

About a quarter of respondents to the survey said their business had more than five data breach incidents in 2010, slightly more than those who reported none.

Ninety percent reported that loss or theft of sensitive information was likely, ahead of probable unauthorised access to virtualised systems, and network malware infections.

A separate study run and funded by the same organisations blamed outsourcers for most data breaches in Australia.

It found the average cost of data breaches totalled an average of $2 million, a figure unchanged over the last 12 months.

The study polled 19 Australian companies that lost between 3,200 to 65,000 records last year.

Each lost record cost an average of $128, and total repatriation costs tipped $4.2 million - up 5 percent since 2009.

The Ponemon Institute’s first data breach study ran in the US in 2005.

Join the Data Encryption Summit

Free Online Event on May 5th

The simultaneous increase in data volume and access endpoints has created a data security landscape clogged with data and riddled with uncertainty. Many security professionals are looking to encryption tools to protect sensitive personal and corporate data, but it can be challenging to implement effectively.

Register for the free online BrightTALK Data Encryption Summit to stay up-to-date on the latest best practices for using encryption to achieve maximum security through different products, solutions and use cases.

Sign up to attend the live, interactive webcasts on May 5, 2011, or view them afterward on demand here: http://bit.ly/eh1Vmq

Presentations include:

"Encryption & the New Social Media”
Marc Sel, PwC Enterprise Advisory Services, Director of Information Protection

"Epic Battle: Compliance vs. Security”
Dr. Anton Chuvakin, Security Warrior Consulting; Rebecca Herold, Rebecca Herold & Associates; Boris Segalis, Information Law Group; Josh Corman, The 451 Group

"Social Media Security: Adoption, Adaptation and Adversaries”
Josh Corman, The 451 Group; Bradley Anstis, M86 Security; Daniel Peck, Barracuda Networks; Tom Eston, SecureState

"Protecting Corporate Assets: Best Practices for Data Encryption"
Sandra Gittlen, SLG Publishing; Winn Schwartau, Mobile Active Defense; Steve Orrin, Intel; Phil Hochmouth, IDC

"Using Encryption in a Safe Manner”
Jeff Reich, Director of Operations, Institute for Cyber Security, The University of Texas at San Antonio

"Encryption & Tokenisation: Friend or Foe?”
Gary Palgon, VP Product Management, nuBridges

You can view the full lineup and sign up to attend any or all presentations at http://bit.ly/eh1Vmq.

This summit is part of the ongoing series of thought leadership events presented on BrightTALKTM. I hope you are able to attend.

Using TrueCrypt for disk encryption

How to use TrueCrypt for disk encryption

You're well aware of the benefits provided by encryption, but many organizations don't have the budget or resources to purchase an expensive encryption tool. In this TechTarget screencast, learn about a free open-source disk encryption tool.

Learn how to use this tool to not only create an encrypted drive, but also a hidden drive as an additional data protection measure.

AES - Cracked or Broken?

Is AES Encryption Crackable?

The Advanced Encryption Standard (AES) system was long believed to be invulnerable to attack, but a group of researchers recently demonstrated that there may be an inherent flaw in AES, at least theoretically.

The study was conducted by the University of Luxembourg's Alex Biryukov and Dmitry Khovratovich, France's Orr Dunkelman, Hebrew University's Nathan Keller, and the Weizmann Institute's Adi Shamir.

In their report, "Key Recovery Attacks of Practical Complexity on AES Variants With Up to 10 Rounds," the researchers challenged the structural integrity of the AES protocol. The researchers suggest that AES may not be invulnerable and raise the question of how far is AES from becoming insecure. "The findings discussed in [in the report] are academic in nature and do not threaten the security of systems today," says AppRiver's Fred Touchette. "But because most people depend on the encryption standard to keep sensitive information secure, the findings are nonetheless significant."

AirPatrol CEO Ozzie Diaz believes that wireless systems will be the most vulnerable because many investments in network media are wireless, and there is no physical barrier to entry. Diaz says that exposing the vulnerability of the AES system could lead to innovations for filling those gaps.

Touchette says that AES cryptography is not broken, and notes that the latest attack techniques on AES-192 and AES-256 are impractical outside of a theoretical setting.

Refer here to read more details about the research.

New Attack Cracks Common Wi-Fi Encryption in a Minute

Reason to dump WPA with TKIP and start using with AES encryption..

Hiroshima University's Toshihiro Ohigashi and Kobe University's Masakatu Morii say they have developed a way to break the Wi-Fi Protected Access (WPA) encryption system used in wireless routers in about one minute.

Last November, researchers demonstrated how WPA could be broken, but the Japanese researchers have taken the attack to a new level. The first attack worked on a smaller range of WPA devices and required between 12 and 15 minutes to execute. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm, and neither work on newer WPA 2 devices or WPA systems that use the more secure Advanced Encryption Standard algorithm. Wi-Fi Alliance's Kelly Davis-Felner says WPA with TKIP was developed as a type of interim encryption method when Wi-Fi was first evolving, and Wi-Fi-certified products have had to support WPA 2 since March 2006.

There's certainly a decent amount of WPA with TKIP out in the installed base today, but a better alternative has been out for a long time. Most enterprise Wi-Fi networks feature security software that would detect the man-in-the-middle attack but the development of a practical attack against WPA should give people a reason to dump WPA with TKIP and start using AES.

Refer here to read full details.

How to Perform Cryptanalysis with Rainbow Tables

Break (almost) any hash into cleartext using cryptanalysis with rainbow tables

In this tutorial, I'm going to explain how to break (almost) any hash into cleartext using cryptanalysis with rainbow tables.

So first, let's look at a hash, specifically an md5 hash. A standard md5 hash is 32 characters long, composed of alphanumeric (0-9, but only a-f) characters. Another standard hash, but less commonly used is sha1, which is 40 characters long. Basically, the idea behind hashing is that you input a string (your password) and a hash pops out. It is impossible to back-track the hash, i.e. decrypt it (although some weakness have been found in hashing algorithms, there is still no way to reverse the hash), so the only way to crack it is to make a bunch of hashes until we find one that matches.

Common ways of creating lots of hashes (with the intent to find a match to the target hash) are brute-forcing and using a wordlist. Brute-force will come up with every string possible and hash it. If you keep a brute-force on long enough (this can take anywhere from a few hours to a few centuries - not kidding), you will eventually find a match, therefore cracking the hash. This is impractical, as most of us don't have access to university or government supercomputing grids.

The second method of cracking a hash is by using a wordlist. Wordlists use the same principal as brute-forcing, except that they check the hash against a list of commonly-used passwords. Some wordlists are just dictionaries, while others are planned out and target certain genres of words. Wordlists work surprisingly well, mostly because people are dumb and use passwords like "password" or "1234567890".

The third and perhaps most effective method of hash cracking is to use rainbow tables, which I am going to explain to you today. Rainbow tables take the same approach as brute-forcing but are so efficient as to cut down the cracking time to anywhere from a few seconds to a few days. This of course depends on the extension of your rainbow tables. More hashes in your tables means a greater chance of a successful crack, but it trades off for a larger file size and longer cracking time. It's up to you to find the balance.

Okay, enough background information; let's get started with learning how to use rainbow tables. The best program for our task is "rcrack". Rcrack is available here, as an open source project (Note: rcrack and other bundled programs with it are only executable via the command line). Also, grab some free rainbow tables from here. You'll find most downloads for the tables themselves in BitTorrent format due to the sheer size (Note: never execute the cracking programs that come "pre-packaged" with table torrents, as most are trojaned. The tables themselves are clean, but always download the programs from their official sites.).

The third and final thing you need is a decent character set; these direct rcrack to understanding what types of characters you wish to crack. The absolute best one I've found is by Ramius Kahn, which have been mirrored here.

Now that you've got your rainbow tables downloaded, rcrack ready, and a decent charset, there's just one final step before you can use these tables. Using the program "rsort" (included in the rcrack package), you must sort each rainbow table (commands available by running the program with no arguments). Doing so is important enough to the efficiency of the cryptanalysis that rcrack will reject any rainbow tables that aren't sorted.

Now we are ready to crack! Run rcrack with no arguments to learn the commands. Input the hash/es you wish to crack using the appropriate method, and go outside for a few hours. It will tie up your CPU and hard drive (it's pretty resource-intensive), so either do something else, or watch intently at the pretty scrolling text. Hopefully, a decrypted hash will pop out at the end, leaving you with a mild case of the lulz.

Rcrack is pretty bitchy sometimes, so if you have any questions or are getting some nasty error, please please please refer to the documentation. Good luck, and happy hashing!

'Cold boot' tools surface

A set of tools for performing 'cold boot' data recoveries has been posted

The tools could allow a user to recover disk encryption keys from a recently powered-down computer, according to the researchers who developed them. The source code for the tools was released earlier this week at the Hackers On Planet Earth (HOPE) conference.

The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine. Because memory chips retain data for a short time after being powered down, an attacker could set the machine into a 'cold boot' and obtain the contents of the memory chips before the machine fully starts up.

The tools follow a study earlier this year by a group of researchers at Princeton University. The study concluded that, given the right tools, it could be possible to recover disk encryption information from a recently shut-down machine.

Please refer here for further details.