New way to communicate privately over Internet

How to communicate privately over Internet? Use Darknet! No, its not a shady net. The term was first invented by DARPA and been long used by the agency. HP is just making it easy to use and bringing it to you and me.

HP won't give the specifics of its implementation, but here's how the idea works: Someone navigates to a Web site that serves up some JavaScript code that runs in the user's browser. That code uses the local storage capacity built into the latest version of browsers like Google Chrome and Internet Explorer. As a result, each user gives up some local storage that holds redundant, encrypted slices of data that together are coordinated and shared by the darknet. As a whole, the information exists so long as the darknet exists.

Cracking SSNs

Using statistical patterns, CMU Researchers predicted the first five digits of a Social Security number 44% of the time.

Researchers leveraged publicly available info for first 5 digits (this information is available at SSN's official website). How hard is it to Social Engineer the last 4 digits?

Are regulations an enabler?

IT governance does include regulations and policies, but they are just a subset and shouldn't be seen as control over IT initiatives.

Heartland's new focus: information Sharing

After end-to-end encryption, Heartland is now focusing on Info Sharing! The Result = PPISC (Payment Processing Information Sharing Council). I dont think forming new associations or groups is a solution. The focus should be on identifying leading risk indicators and designing controls so no threat could exploit those vulnerabilties. Anyway, here is Carr's introductory statement (I like his dedication, though!)

Robert O. Carr, chairman and chief executive officer of Heartland Payment Systems^TM, one of the nation’s largest payments processors and a new member organization of FS-ISAC, believes formation of the PPISC is the most effective way to foster communication among payments processors. Carr, a strong advocate of industry collaboration, has been talking to many payments processing leaders about working together to fight cyber criminals and encouraged the formation of PPISC.

Crypto attack puts digital sign hash on collision course

The researchers at USydney broke the SHA-1 algorithm in significantly fewer tries - which may put digital sign attacks well within the reach.

The new attack technique combines what's known as a non-linear differential path with a boomerang attack. It decreases the cost of a collision attack by a factor of more than 2,000 compared with previous methods. The paper has not yet been peer reviewed.

Tech vs. Human Controls

Technical controls, once designed operate as intended for several years, whereas human controls need to be trained on a regular basis.

Follow me on twitter @an_gl

Current State of Security

Attended Marcus Ranum's session on current (and future) state of security. It was a pleasure to meet him in person.

Thoughts on NIST 800-53

Just finished reviewing final rev of NIST SP 800-53. My take- an approach towards harmonizing FISMA with industry standards like ISO 27001/2

Securing communication

Explosion in system to system & human to human communication is ballooning the size of the mesh - which is the most critical thing to secure

First step: define metrics

Its critical to define metrics to know if we're doing a better job- whether its for securing a company network or the country infrastructure

Being proactive is the best way to secure systems

Security is all about risk - we can never bring risk to zero - similarly, we can never build a foolproof system. But being proactive is the best way to secure systems. Focus should not be on making a system 100% secure. Instead, we should think like a hacker and act before he/she does.

Information security as enabler

Information Security should NOT stop any business activity - instead, it should enable business activity with the help of IS & IT governance.

Our role in information security

We are not getting smarter! We still fall for social engineering; We still click on Phishing emails; we still don't patch our systems; we still don't look for pad lock or secure connection before logging on to our bank acount; we still think our account security is our bank's problem.

and the list goes on! Employees and customers play a big role in security. Humans are the easiest targets (since the only controls we have is our judgement, our activeness, our observational power). We can add layers of the strongest technological controls but they are of no use if the Users of those controls do not pay attention or follow processes.

Focus on securing "our" assets

In today's interconnected world, securing "my" network is not sufficient. Agencies, Businesses, State depts, or any organization who wants to secure their digital assets must coordinate and work together to secure them. Culture needs to change. Focus should be on securing "our" assets.

New privacy rules for RFID

European Commission (EC) has asked companies and public authorities to assess effects on privacy and data protection before deploying RFID and contactless smart card technologies. Other recommendations are as follows -

* RFID tag attached to consumer products should automatically deactivate at the point of sale, unless the consumer agrees to a voluntary option to keep the tag active.

* Public authorities using RFID technology should give consumers clear notice if personal data is being collected.

* Retail groups should promote consumer awareness of RFID-tagged products with a common sign indicating when the technology is being used.

What companies are saying -

The practice of deactivating a tag immediately upon purchase of a tagged item unless a consumer expressly opts in is something urged by many consumer advocates. However, many businesses in the RFID sector fought against making an opt-in policy mandatory. Those companies argue that such a requirement would hamper many of RFID's post-sale benefits, such as more efficient recycling and management of warranties and repairs.

From operational to governance

Any organization who wants to protect its digital assets, information, and operations must elevate the security from operational to governance-level.

Organizations can not win by focusing on day to day operations. These activities fall under scope of management. Whereas governance is about defining who will make the decisions and set priorities. Timely and accurate decisions are key to an effective security management program.

Next generation of cryptographic solution

Is RSA algorithm, invented in 1977, losing its power? Will ECC become the de facto cryptographic solution? or its too early to predict?

Public-key systems--or asymmetric cryptography--use two different keys with a mathematical relationship to each other. Their protection relies on the premise that knowing one key will not help you figure out the other. The RSA algorithm uses the fact that it’s easy to multiply two large prime numbers together and get a product. But you can’t take that product and reasonably guess the two original numbers, or guess one of the original primes if only the other is known. The public key and private keys are carefully generated using the RSA algorithm; they can be used to encrypt information or sign it.

whereas

The advantage of elliptic curve cryptography lies in its immunity to the specialised attacks that have eroded the strength of RSA, with the result that smaller keys can be used to provide a given level of protection. “The size of the parameters (essentially the key size) for elliptic curve cryptography (ECC) needed to ensure security (under our current state of understanding) is much lower for ECC than for RSA or ElGamal (another alternative cryptographic method,” said Kohel. Indeed keys 160 bits long provide ECC with the same level of security as 1024 bit keys for RSA.

Operational fraud program

Rich discusses an enterprise-wide incident response plan to address the occurrence of fraudulent activities -

Operational fraud is the risk of incurring fraudulent loss to assets due to an organization's exposure to deception, theft, diversion or mismanagement of transactions, customer information, account information and data transfers. Operational fraud blends traditional fraud, corporate security, forensic investigation and information security disciplines, and infuses information sharing with the law enforcement community and industry colleagues to reduce potential fraudulent risks and losses.

Its about ubiquitous computing

We know its not about PCs anymore. Its about ubiquitous computing. I wonder why security companies are so much focused on building PC security products? We are wasting our energy, money, and efforts on saving something that is not so critical.

What does cyberattack mean today?

Until a few years ago, cyber attack meant- PC viruses; Today, it means paralyzing financial, electrical, health, and transportation services.