Showing posts with label Encryption. Show all posts
Showing posts with label Encryption. Show all posts

April 12, 2016

Turn, Press, Pull -- Gonna Get Ya

So as I go around town, I see more and more of these industrial-type control panels. 

The problem is that they are stupidly in the open and unprotected or otherwise easily defeated.  

While probably not a serious threat of any sort, this one apparently is a unit to control some fans in an underground garage open to the public. 

You see the knobs you can just turn.

And one with a yellow warning sticker above it.

As if that will keep someone with bad intentions from messing with it. 

You also see the red and yellow lights...hey. let's see if we can make those flash on, off, on.

Panel 13, nicely numbered for us--let's look for 1 to 12 and maybe 14+.

It just continues to amaze me that in the age of 9/11 and all the terrorism (and crime) out there that many people still seem so lackadaisical when it comes to basic security. 

Anyone in the habit of leaving doors and gates open, windows unlocked, grounds unmonitored, computers and smart phones without password protection, data unencrypted and not backed up, even borders relatively wide open, and so on. 

Of course, we love our freedom and conveniences.

We want to forget bad experiences.

Could we be too trusting at times?

Maybe we don't even believe anymore that the threats out there are impactful or real.

But for our adversaries it could just be as simple as finding the right open "opportunity" and that's our bad. ;-)

(Source Photo: Andy Blumenthal)

Share/Save/Bookmark

June 25, 2015

18 Million--Change The SSNs

So, maybe one of the most detrimental hysts of information from the Federal government in history. 

Now involving over 18 million current and former federal employees, including military and intelligence personnel. 

No getting around it, but we are major screwed here--this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out--it's people. 

Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel--generals, spy masters, political kingpins, and other key decision makers--thereby distracting them from their duties of safeguarding our nation. 

This is our new Achilles Heel and overall a security disaster bar none!

Well, we can't go back and put the genie back in the bottle--although wouldn't it be nice if such critical information (if not encrypted--already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.

But for the people whose personal identities are at risk--whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 

While we can't very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 
 
If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 

This is not rocket science, and certainly we owe this much to our people to help protect them.

Will our government be there for it's own employees and patriots? ;-)

(Source Photo: here with attribution to Donkey Hotey)
Share/Save/Bookmark

October 3, 2014

Data Like Clouds

So data is like clouds...

Clouds want to be free roaming the wild blue skies similar to how data wants to be searchable, accessible, useful, and so on. 

But with data, like clouds, when it rains it pours--and when data blows about with the windstorm and is compromised in terms of security or privacy, then we not only come away wet but very uncomfortable and unhappy. 

Then, as we actually end up putting our data in the great computing clouds of the likes of Amazon, iCloud, HP, and more, the data is just within arm's reach of the nearest smartphone, tablet, or desktop computer. 

But just as we aspire to reach to the clouds--and get to our data--other less scrupled (cyber criminals, terrorists, and nation states)--seek to grab some of those oh so soft, white cloud data too.

While you may want to lock your data cloud in a highly secure double vault, unfortunately, you won't be able to still get to it quickly and easily...it's a trade-off between security and accessibility. 

And leaving the doors wide open doesn't work either, because then no one even needs an (encryption) key to get in. 

So that's our dilemma--open data, but secured storage--white, soft, beautiful clouds wisping overhead, but not raining data on our organizational and personal parades. ;-)

(Source Photo: Andy Blumenthal)
Share/Save/Bookmark

May 4, 2012

Leadership Cloud or Flood Coming?

I came across two very interesting and concerning studies on cloud computing--one from last year and the other from last month.

Here is a white paper by London-based Context Information Security (March 2011)

Context rented space from various cloud providers and tested their security. 

Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases --leaving a pass rate of just 25%!

The major security issue was a failure to securely separate client nodes, resulting in the ability to "view data held on other service users' disk and to extract data including usernames and passwords, client data, and database contents."

The study found that "at least some of the unease felt about securing the Cloud is justified."

Context recommends that clients moving to the cloud should:

1) Encrypt--"Use encryption on hard disks and network traffic between nodes."

2) Firewall--"All networks that a node has access to...should be treated as hostile and should be protected by host-based firewalls."

2) Harden--"Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves."

I found another interesting post on "dirty disks" by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.

In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data--but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud? 

While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud. 

Clouds can lead the way--like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah. 

The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field? 

(Source Photo: here with attribution to freefotouk)


Share/Save/Bookmark

April 1, 2012

A Word Indeed


The information in your smartphone and managed by your telecommunications carrier is available and accessible to others with today's tools and following the right processes. 

Bloomberg BusinessWeek (29 March 2012) reports on a new tool for law enforcement that captures your data from smartphones. 

It is called the Cellebrite or Universal Forensic Extraction Device (UFED).

As the video describes it works with almost every mobile device out there--over 1,800 of them. 

And when attached to a smartphone, it can extract everything from your call log, emails, texts, contact list, web history, as well as photos and videos. 

The forensic tool can even retrieve deleted files from your phone. 

Your smartphone is a digital treasure trove of personal information and the privacy protection afforded to it is still under debate. 

The article cites varying court opinions on "whether it's fair game to examine the contents of a mobile phone without a warrant," since it is in the suspect's immediate possession. 

According to law enforcement sources quoted in the article, "we use it now on a daily basis."

Aside from the contents on the phone itself, Bloomberg BusinessWeek (29 September 2012) earlier reported that telecommunications companies are also storing your personal data for various lengths of time.

For example, detail call records and text contacts are retained for up to 7 years and phone location information indefinitely, depending on the carrier.

This data is available too under the processes specified in the Electronic Communications Privacy Act. 

While the technology is constantly getting better for us to electronically manage our information and communicate with each other, the reach and life cycle of digital information can certainly be far and long.

As we should all by now know, working remotely, digitally, in cyberspace, and encrypting, deleting, or even attempting to destroy data files does not ensure their ultimate privacy. 

In that respect, both digital and non-digital information are the same in one very important facet and that is as we all learned early in life that "a word once said cannot be taken back."

Share/Save/Bookmark