Last week was a terrible week for password breaches. First LinkedIn revealed that ~6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.
Are these breaches a surprise? No, not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on web servers and datacentre networks every time it is supplied by the user before it is hashed for comparison.
Continue reading "The death of the password?" »
In the U.S., the state government in Massachusetts requires companies to report when they've lost sensitive information for their employees, customers or other key constituencies.
This week, for the first time, Massachusetts reported back as to what companies have been saying. According to a Boston Globe story, almost half of Massachusetts residents have had their personal information, such as social security and credit card numbers, compromised.
According to the story, Massachusetts companies are further required to encrypt data that is placed on portable devices, but most lost or stolen devices are not encrypted.
Continue reading "Storage encryption still lacking despite enhancements in technology and standards" »
If you want to use encryption, you need to use keys. A key is (or rather should be) a random number that can encrypt or decrypt your information. A strong key is strong because the random nature of the chosen number means it could lie anywhere on a virtually endless number line. As readers of this blog will know, once you have a strong key, effective key management is essential to ensure the data it protects remains secure.
A recent study (which I referenced in a previous post) found that a small percentage (0.38%) of over 7 million public keys share a common factor and subsequently can be easily compromised. As Bruce Schneier recognises in his blog post, these 'weak' keys were almost certainly created with a poor random number generator. A poor random number generator does not create 'random' numbers, only 'psuedorandom' numbers i.e. numbers generated by a predictable process. Keys based on pseudorandom numbers are liable to compromise, meaning that data encrypted with such keys are not secure.
Continue reading "Random or pseudorandom?" »
Just last week a new example of the consequences of inadequately protected signature keys came to light. As reported in Network World , Kaspersky Lab discovered that a recently distributed Trojan, Mediyes, was digitally signed using a stolen private signature key whose digital certificate was owned by Swiss firm Conpavi AG.
The Network World story notes how digitally signed code is assessed more favorably by anti-virus vendors from a risk perspective, so stealing the key and creating a perfectly valid signature on the code helps further promulgate the nefarious Trojan before it can be detected.
Continue reading "Mediyes Trojan Shines Spotlight on Mismanaged Signature Keys" »
