Communications between devices often passes over public networks that have varying risks of eavesdropping and interference by adversaries. While the endpoints involved in a communications session may be protected, the communications itself might not be. For this reason, cryptography is often employed to make communications unreadable by anyone (or any thing) that may be able to intercept them. Like the courier running an encrypted message through a battlefield in ancient times, an encrypted message in the modern context of computers and the Internet cannot be read by others.
- excerpt from a book in progress
As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.
Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.
If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach. But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.
Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems. Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.
A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software. But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.
The cat-and-mouse game continues.
The information security profession, and cryptography in particular, has passed into a new era where credible evidence has surfaced that reveal that several world governments have played a role in the deliberate weakening of cryptosystems, to facilitate domestic and international espionage. Prior to these revelations, information security professionals could place their trust in national standards bodies, major encryption product vendors, and government organizations. This trust has been broken and will not be easily mended.
A significant challenge in both public and private sectors will be the establishment of new ways to measure the validity and integrity of cryptosystems. Or, perhaps a new approach will be new and novel uses of cryptography in order to make the compromise of a cryptosystem more difficult than before. The collective discussion on this topic will run its course over several years, resulting in the development of new validation platforms as well as improved application of cryptosystems.
– excerpt from the cryptography chapter of a college textbook still in development
A recently released demonstration from Princeton University shows that most disk encryption systems, including Microsoft Vista Bitlocker, Apple FileVault, Linux dm-crypt, and TrueCrypt, are vulnerable to a simple attack that will result in the attacker being able to read the entire contents of an encrypted hard drive.
- It is still highly important to prevent physical theft of a laptop computer
- It is preferable to shut down a system as opposed to leaving it in sleep mode
Electronic Frontier Foundation
New York Times
Skype uses robust encryption that protects its Internet-based phone calls from eavesdroppers. The problem is, if you’re law enforcement and need to conduct a lawful wiretap on a Skype account, you’re out of luck.
Skype’s encryption is end-to-end, and its design includes no provision for a lawful wiretap such as those that are routinely conducted over cellular and landline based phones.
There is no question in my mind that Skype’s encryption is robust. Here is an excellent cryptanalysis (PDF) of the Skype service that was performed by Tom Berson of Anagram Laboratories.
Recent article: Internet Telephone Encryption Stumps German Police
I am a big fan of Skype, particularly because it utilizes full session encryption. I use Skype on a daily basis, both for text messaging as well as for voice communications.
I recently became aware of an excellent cryptanalysis (PDF) of the Skype service that was performed by Tom Berson of Anagram Laboratories.
PGP is pricey these days – starting at $83/yr, single quantity.
If you only need to encrypt files and e-mail in Windows, consider using GPG. It is compatible with PGP, and it’s free.
GPG has an Outlook plug-in, and tools to manage keys (including importing your PGP keys).
One thing GPG won’t do is create self-decrypting archives.
Get GPG here: