Townsend Security Data Privacy Blog

What You Need To Know About Encryption & EU Data Privacy Protections!

Posted by Michelle Larson on Sep 16, 2014 2:31:00 PM

Here is a sneak peek at the introduction for the latest regulatory guidance white paper from Townsend Security. For detailed information, download the entire document: Download the EU Data Privacy White Paper

On March 25, 2014, the Article 29 Data Protection Working Party of the European Union issued new guidance on data breach notification and the use of data protection technologies such as encryption and encryption key management. Extending beyond just Internet Service Providers, the new regulations cover all organizations that process, store, or transmit private information of EU citizens. Along with these new regulations, there are substantial financial penalties for failing to protect sensitive information. These penalties can reach into the 10’s of millions of Euros depending on the organization’s size and amount of data compromised.

The European Union does not mandate that all organizations immediately encrypt sensitive data, but the only exclusion for subject data breach notification and financial penalties will be for those organizations who use encryption and other security methods to protect the data. Applying these security methods after a breach will not remove the notification requirements and penalties.

EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. The following guidelines will help meet these new EU objectives:

Encrypt Data at Rest

Make a full inventory of all sensitive personal information that you collect and store. Use strong encryption to protect this data on servers, PCs, laptops, tablets, mobile devices, and on backups. Personal data should always be encrypted as it flows through your systems, and when you transmit it to outside organizations.

Use Industry Standard Encryption

Use industry standard encryption such as Advanced Encryption Standard (AES, also known as Rijndael). AES is recognized world-wide as the leading standard for data encryption. Never use home-grown or non-standard encryption algorithms.

Use Strong Encryption Keys

Always use cryptographically secure 128-bit and 256- bit AES encryption keys and never use passwords as encryption keys or the basis for creating encryption keys. Encryption keys based on passwords will never meet minimum standards for strong encryption keys. Keys should be generated using a cryptographically secure random bit generator (CS-RBG) validated to international standards.

Protect Encryption Keys from Loss

Encryption keys must be stored away from the data they protect and must be securely managed. Manual procedures cannot accomplish the goal of proper encryption key management. Use a professional encryption key management solution to protect keys and provide different keys for different data protection needs. Key management solutions should implement key creation, management, and distribution and be compliant with the NIST FIPS 140-2 standard recognized and accepted worldwide.

Change Encryption Keys Regularly

Using one encryption key for a long period of time can expose you to a breach notification for historical data. Change your encryption keys on a quarterly or semi-annual basis. A good key management solution can automatically change encryption keys at an interval you define.

Use Strong, Industry Standard Hash Algorithms

Use strong, industry standard secure hash algorithms when protecting passwords and other information. Never use MD5 or other weaker hash methods. Use the SHA-256 or SHA-512 methods for your hash requirements.

Use Keys or Salt with Your Hashes

When using a strong secure hash algorithm, always use an encryption key or random salt to strengthen the resulting hash value. You can use the Hashed Message Authentication Code (HMAC) method with an encryption key or use a strong encryption key under the protection of a key manager as the salt for the hash method.

For details on the EU Data Protection Directive...


Click to Request the EU Data Privacy White Paper

Topics: Alliance Key Manager, Compliance, Encryption, Alliance AES/400, EU Data Privacy Protection, Encryption Key Management, White Paper, Salting, AES Encryption, Hashing

Vimeo, Evernote Take Action after Adobe Data Breach

Posted by Liz Townsend on Dec 16, 2013 2:05:00 PM

But Are They Doing Enough?

Following the Adobe data breach that was reported in October of this year, other internet companies are still asking their users to reset their passwords. Facebook, Evernote, and now Vimeo are among companies who have alerted their users to the dangers of using identical passwords for multiple websites.
LinkedIn Data Breach
The Adobe breach of usernames and passwords is one of the largest in history, exposing upwards of 150 million usernames and passwords. Data breaches that expose this kind of login information are extremely problematic today since so many people use the same login information for many websites including banking and healthcare sites. Access to these sites could lead a hacker to uncovering information such as date-of-birth or even a social security number that could be used for identity theft or fraud. Unfortunately, the Adobe breach could lead to identity theft for millions.

No company wants to be considered the cause of identity theft, which is why these other businesses are taking action to reset user passwords. The big question that comes to my mind, however, is: Are they doing enough? When Adobe revealed the breach, it also brought to light the fact that they had not been using adequate security to protect their customers’ sensitive information. The beach occurred on a backup system where customer data was encrypted using DES encryption (a weak and outdated encryption standard that is no longer recommended for protecting sensitive data.) The Secure Hash Algorithm 2 (SHA-2) is the current standard (along with the use of salts to add an extra layer of security) for username and password protection. Using DES encryption goes against best practices when it comes to username and password security, and although Adobe was using SHA-2 to protect most of it’s users’ data, the backup systems were the ones that were hacked.

It’s difficult to speculate on any company’s security practices, but the precedent of poor security practices when it comes to securing usernames and passwords is widespread. In 2013, several major (and widely publicized) data breaches of user information were traced back to the use of weak and out-of-date hash algorithms. LinkedIn, eHarmony, and LivingSocial all experienced similar, major data breaches earlier this year. The Adobe breach signals that major e-commerce businesses may be ignoring the lesson their peers had to learn the hard way. As we’ve seen, willful ignorance is not a method of data protection.
Besides asking their users to change their passwords what could Adobe have done, and what can Vimeo, Facebook, and Evernote do now to protect sensitive user information?


  • Update hash algorithms as soon as possible where all sensitive data is stored. Do NOT use MD5 or SHA-1. These are known to be weak and you should just never use them. Use one of the SHA-2 family of hashes such as SHA-256 or SHA-512.
  • Always use a salt with your hashes. Also choose a strong salt value. We recommend adding a minimum of 128-bits of cryptographically strong Salt to the password you are hashing.
  • Protect your salt value using a hardware security module (HSM), such as an external key management server. Like encryption keys, the salt value should be protected away from the hashed and salted data.

To learn more about data breach prevention, download the podcast, “How LinkedIn Could have Avoided a Data Breach.”

Topics: Encryption Key Management, Data Breach, Hashing

4 Ways to Get Password Hashing Right

Posted by Patrick Townsend on May 15, 2013 12:42:00 PM

Over the past couple years we have seen many instances of online companies experiencing major data breaches due to poor or non-existent password hashing techniques. Organizations such as eHarmony, LinkedIn, LivingSocial, Last.fm, have collectively had millions of user passwords stolen. Despite widespread publicity around these breaches, and many reporters  calling out the mistakes these companies have made around their hashing techniques, these types of breaches are only becoming more common.

LinkedIn Data Breach

Fortunately, for companies who want to prevent a data breach of their users’ passwords and and other personal information, and keep their names out of the headlines, it is fairly easy to do hashing right. 

Four things you should do to get password hashing right:

  1. Choose a good quality hash algorithm. Do NOT use MD5 or SHA-1. These are known to be weak and you should just never use them. Use one of the SHA-2 family of hashes such as SHA-256 or SHA-512. Yes, I know about the theoretical weaknesses of the SHA-2 family and that we will soon have a replacement for SHA-2. But use the best you can for now.
  2. Always use Salt with your hashes. A Salt is some extra data that you add to your password (or any other field that you are hashing) to avoid a rainbow table or brute force attack on the hashed value. Adding Salt can make cracking a hashed value much more difficult.
  3. Use a strong Salt value. Using a few characters such as a GUID or short hex string won’t really give you that much additional protection. I would recommend adding a minimum of 128-bits of cryptographically strong Salt to the password you are hashing. We use a 256-bit value in our applications. Using an encryption key might be an excellent choice for your Salt value if it is provably cryptographically strong.
  4. Protect your Salt. Leaving the Salt value lying around in a user file or in the clear is a really bad idea. An attacker who has easy access to the Salt value can efficiently attack the hashed value. You must protect the Salt value as you would an encryption key by using an external key management hardware security module (HSM).

If you take these four steps you will have a much more secure and defensible strategy for hashed passwords, will take you a long way down the road to better security of users’ sensitive information.

Patrick

Topics: password, Hashing