Townsend Security Data Privacy Blog

Jacob Ewing

Recent Posts

A Letter to Homegrown Data Protection

Posted by Jacob Ewing on Feb 19, 2013 1:38:00 PM

AES Encryption & Related Concepts

AES White Paper

Download the white paper "AES Encryption & Related Concepts"

Click Here to Download Now

Dear Homegrown Data Protection,

I wanted to write you a letter to say thank you for being an option in our company’s quest to find an encryption solution that works for us.  You have some neat algorithms and some pretty cool features that we haven’t seen before.  However, just because you look secure and have a bit of sparkle around doesn’t mean that we’re ready for you to protect our sensitive data.

Sure, you seem like a great idea on paper; you’re cheap up front, you’re pretty sure that you can help us meet all of our compliance regulations, and your algorithms seem to make you  just as secure as anything else on the market.  What’s not to like?  Still, I feel that you might be missing something in a few key areas.  Before you start encrypting our data there are three things I want to ask you about.

First off, how are you planning on securing our sensitive data?  Are you planning on doing scrambling, masking, or doing actual encryption?  Scrambling sounds great in theory, but if all your program is going to do is mix up all the letters and numbers, I’m not sure how comfortable we would feel about that.  When it comes down to choosing between data scrambling and data encryption, encryption is going to be much more secure.  There are lots of widely accepted encryption libraries out there like AES or Triple DES that you could use to be sure our data will stay safe.  AES has been around since 2001, and is the de facto encryption library to use.  It’s strength lies in its 128-bit, 192-bit, and 256-bit encryption keys.

That brings up the next point: how are you going to manage the keys?  Where are you going to keep them?  Who is going to handle them?  In order to be compliant with many regulations, we will need a solution that has dual control, meaning that at least two people need to authenticate a process before a key can go to work.  It will need separation of duties, which keeps the people handling the key away from the people handling the sensitive data, and visa versa.  Now this isn’t always easy to implement on some OS's, and on some OS's it’s nearly impossible. One way to accomplish that would be to use a hardware security module (HSM).  These HSMs allow companies to keep their keys separate from their sensitive data, and out of the hands of anyone who might break into their system.

Lastly, is your encryption solution going to be NIST Certified?  If you haven’t heard of the National Institute of Standard and Technology (NIST) you might want to check them out.  Being NIST certified means that your product follows proper cryptographic implementation standards, and meets best practices for security.  Every solution that has gone through the NIST certification process has been through a series of rigorous and complex tests to find even the smallest error that could cause the encryption algorithm to fail.  Your algorithms look fine and have some pretty cool features, but we are looking for something that is going to stand the test of time.

Again, I really appreciate you being an encryption option, but when it comes to protecting data we want to be sure that we are getting the right thing.  Give us an encryption solution that is secure, stable, and certified.

Sincerely,

Jacob

Click me

2012 Data Security in Review

Posted by Jacob Ewing on Feb 15, 2013 8:06:00 AM

Podcast: Data Privacy for the Non-Technical Person

LinkedIn Podcast

Download the podcast "Data Privacy for the Non-Technical Person"

Click Here to Download Now

2012 was a big year; we survived an apocalypse, screamed our lungs out at the Olympics, and watched another big election year come and go.  However, in the midst of all the hullabaloo people’s lives were being wrecked, computers stolen, and governments attacked.  With each new cyber attack, security breach, and internet scam the world of tech got a bit more scary for all of us.

Below are five stories that I feel best capture the state of data security in 2012.

#1 - Apple+Amazon Personal Information Protocol

In the early part of August, Mat Honan, a well-known tech writer, released an article on Wired that detailed how in 1 hour his entire digital life was taken over and erased.  His information was stolen through a hack, rather the two perpetrators tricked Apple and Amazon customer service representatives (CSR) into believing that they were Mr. Honan and then giving them access to his personal information.  The thieves were then able to access, control, and wipe his iPhone, Macbook, and many of his online accounts.  His tech and online life had been hijacked from just a few calls to two companies.

I won’t detail the specifics here, but I will point out that this was a relatively easy loophole to exploit.  Honan explained that he was also able to do it multiple times with other peoples’ accounts (in a controlled environment).

With the publication of the story both Amazon and Apple have since changed how they handle phone access to personal information.  Amazon CSRs will no longer be able to change the settings on credit cards and email addresses over the phone.  Apple is now pointing customers to use its online ‘iforgot’ system to recover passwords.  This system requires much more personal information than their previous solution.

In the end Honan was able to recover a majority of his personal data that had been erased

#2 - South Carolina Department of Revenue (DoR) Breach

On August 13th an employee at the South Carolina DoR opened and clicked a malicious phishing email.  The link then executed malware that infected the employee’s computer giving the hacker access to their username and password.  Two weeks later, the hacker entered the system remotely by using the credentials that they had previously obtained.

During the following month the hacker was able to access the entire DoR system without being detected.  To do this the hacker used 4 legitimate username and passwords and 33 pieces of malicious code.  The hacker, among other things, was able to access 44 DoR systems and create 7-zip files that contained 74.7 GB of uncompressed data.  That data included almost 3.8 million Social Security numbers and 387,000 credit and debit card numbers.

When administration of South Carolina broke the news about the breach, they defended their actions by saying they were following industry standards and there was nothing they could have done to prevent the breach.  This, however, was later proved to be a false claim.  If the state had used proper encryption and key management practices, they could have most likely avoided the breach.

The total cost of the breach to the State is around $14 million (a $20 million bailout was approved to help the State cover additional costs).  The total cost to taxpayers both directly and indirectly is yet unknown.

#3 - NASA’s Halloween Trick

Halloween is usually a night where kids can go around the neighborhood getting free candy at nearly every door.  This past Halloween, however, a NASA employee received a nasty surprise in return; somebody had broken into his car in the night, and stole an unencrypted laptop containing personal information of at least 10,000 employees, contractors, and others.  This was the second published breach in 2012 and the third known breach in the past two years.

The director of NASA has offered 1 year of credit monitoring and identity protection to all affected persons.  On top of that he has mandated that all laptops containing personal information must be encrypted by December 21, 2012.

#4 - Nortel’s Hacking Demise

In February a news report was released by the Wall Street Journal detailing how hackers gained access to (the now defunct Canadian corporation) Nortel top-level executives’ usernames and passwords in early 2000.  The hackers had access to business reports, internal communications, and employee information.  The hacks didn’t go unnoticed by employees.  In 2004, one employee noticed monthly downloads being made using China IP addresses and the credentials of an executive.  He made numerous recommendations regarding Nortel’s database security, but a decision was later made to only change the compromised passwords.

In 2009 Nortel went bankrupt, and sold off its assets to various other companies.  When the report was released in early 2012 the former CEO of Nortel insisted that the vulnerabilities could not have been passed onto those other companies.

A former senior security advisor at Nortel, Brian Shields, said that he was certain that being hacked played a role in the demise of the company, “When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size."

#5 - Lieberman, Collins Cybersecurity Bill Shutdown

On November 14, 2012 a piece of cybersecurity legislation was rejected by the Senate in a vote of 51-47.  This was the second piece of cybersecurity legislation rejected in 2012.  Senator Lieberman and Senator Collins proposed the bill to the Senate because of the increasing number of attacks on critical infrastructure in the United States (i.e. banks, utilities, transportation).

Lieberman wrote an op-ed comparing the the threat of cyber attacks on America to the surprise attack on Pearl Harbor in 1941.  In his article he quoted defense secretary Leon Panetta saying, “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”

Such attacks have already taken place in the US.  Early last year a Texas water pump was hacked and taken over remotely in 10 minutes.  Several websites of major banks were barraged by a denial of service attack that either knocked them off-line or crippled their performance.  These attacks aren’t exclusive to the US either; a Saudi Arabian oil company had 30,000 of its computers hacked, hindering the company’s operations.

With this latest cybersecurity bill being rejected by the Senate, the US government is shirking implementing security measures to prevent widespread attacks.

Data security breaches affect all of us whether we are the Average Joe or a C-Suite level executive.  What can be done individually, as a company, or as a government agency to make sure that 2013 won’t be like 2012 for personal information?

For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person.  Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.

 

Click me

 

Topics: Data Privacy, Security News