Tom Olzak

Archive for the ‘Encryption’ Category

Is Encryption a Right?

In Access Controls, Application Security, Encryption, Government on July 8, 2015 at 04:00

With governments beginning to make noise again about weakening encryption, several security professionals have come out against any moves to do this.  But does government have the right to take away our right to privacy?

Absolute privacy can be a national security issue.  But so is weakening business and critical infrastructure security in the name of protecting society.  The question I’ve been asking myself is whether strong encryption is a right: a right no government has the “right” to take from us.

In the U.S., our government has repeatedly resisted demands to limit the strength of encryption via things like backdoors and weak algorithms.  In the 1990’s, when these issues were dealt with, many believed the “crypto wars” were over.

“But they may not have realized that we would be on the brink of a similar battle over the right to use strong encryption some 15 years later. That’s why the key takeaway from the conflict is that weakening or undermining encryption is bad for the U.S. economy, Internet security, and civil liberties—and we’d be far better off if we remembered why the Crypto Wars turned out they way they did, rather than repeating the mistakes of the past” (Danielle Kehl, 2015).

It’s time to resolve this.  Congress and the People need to decide whether absolute privacy is a right in view of the internal and external threats we face as individuals, as organizations, and as a nation.  When deciding, we should keep in mind the following:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (4th Amendment of the U.S. Constitution).

Whatever we decide, a balance must be struck between security and our right to manage our lives as we see fit without interference by government.  The only exception is when living as we choose causes harm to others.

Good luck with mobile malware defense

In Encryption, Mobile Device Security, Smartphones, Windows Mobile on July 21, 2009 at 09:21

Looking for softer targets, black hats are stepping up their efforts to take over your smartphones and wireless PDAs.  It was only a matter of time before these devices, once falling below the radar of financially motivated cybercriminals, began to look like softer targets than increasingly hardened enterprise networks.  So what can we do about it? 

In a paper published in March of 2005, I wrote about the potential for mobile device compromise.  However, the risk of anything other than Microsoft Mobile infections was very small at the time.  Even so, Microsoft Mobile devices didn’t carry much more risk than their Symbian-based cousins.  But now things have changed.  Smartphones which use Symbian OS—the vast majority—are facing a very real risk of becoming part of a “mobile botnet.”

A new worm known as Sexy View/Sexy Space, once installed on a phone, communicates back to a controlling server.  Connection to the server allows a black hat to communicate commands to one or more infected devices.  This is the basic requirement for a botnet.  Now your users’ cell phones, too, can eventually participate in the same botnets as their PCs.

Protection for cell phones has lagged far behind solutions created for laptops and desktops.  What this means is there are almost no solutions for enterprise anti-malware protection—defined as a solution which uses a central console to configure, monitor, and ensure up-to-date protection across all mobile devices.  However, there some things you can do to protect your organization’s smartphones and sensitive data residing on them.

  1. Choose devices which can be configured to only allow download and installation of software verified as safe.  Apple’s and RIM’s online stored for the iPhone and Blackberry devices, respectively, are good examples.  But this isn’t a knock-out punch for mobile malware, as Symbian discovered with Sexy View and Sexy Space.  The purveyors of this new malware actually got the software approved by the Symbian online store.
  2. Anti-malware for mobile devices has been available for some time.  McAfee has primarily focused on Windows Mobile devices, but is moving into the Blackberry space.  Kaspersky has a very robust solution for phones running Symbian 9.1, 9.2, and 9.3.  Most business class solutions cost around $30 per year per device and are updated by direct connection to the AV software vendor.  (Free products are available for personal use.)  Products usually include a firewall and often provide data encryption capabilities.

Security vendors are making progress, but until a true enterprise solution is available, security management of hundreds or thousands of handheld devices is very difficult.  We can always use policy (e.g., Blackberry Enterprise Server) to deny the download and installation of all third party apps.  However, this won’t be a long-term answer as tech-savvy users at all levels—including executive management—startto push back hard when these types of policies are rolled out.


Which cryptographic algorithms to use and those to avoid

In Data Security, Encryption, Risk Management on March 18, 2009 at 11:35

Researchers at Fortify Software have written a Crypto Manifesto, in which they make algorithm recommendations for:

  • Cryptographic hashes
  • Encryption and encoding
  • Symmetric and public keys
  • Pseudo-random number generators

The table below summaries the manifesto’s assertions, with details about why a certain algorithm calls into the use or not-use column included in the Fortify document.


Windows Mobile Protection on a Smart Card

In Encryption, Smartphones, Windows Mobile on March 6, 2009 at 10:53

certgate’s Protector for Smartphones proves you don’t need complex solutions to protect sensitive information.

certgate Protector for Smartphones

certgate Protector for Smartphones

Read the rest of this entry »

%d bloggers like this: