Tags Archivesencryption

Implementation is Everything standard

Last week gave way to a flurry of activity around RSA and an alleged cryptographic flaw in the algorithm based on this report by Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, THorsten Kleinjung, and Christophe Wachter. RSA’s Sam Curry writes a post here, as well as posts by Dan Kaminski, Nadia Heninger, and this New York Times article. As I was reading through this whole mess and understanding the technical issues at hand, I started thinking that the description of the problem, ultimately a lack of entropy in a particular implementation, is something that the security industry has dealt with before. You don’t have to look very far to see implementation problems that cause both minor ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments1. These links were rarely (if ever) encrypted partly due to the technology at the time and to inherent trust in telcos. Companies running frame ...

Continue Reading

Do Mainframes Get A Pass? standard

When I first started doing PCI DSS work under the then CISP and SDP standards, one of the biggest problems I ran into was what to do with one of those fancy mainframes.  In this job, you see ALL manner of mainframes.  I’ve seen super shiny, brand new z/OS multiplexes to aging, but functional Tandems to an OS/390 system that literally had no changes performed on it in more than two years. How does anti-virus apply to those again? I recently fielded a question about mainframes, and if they still “get a pass” when it comes to certain requirements like anti-virus (Req 5), and encryption (Req 3.4).  As is with most of PCI DSS interpretation questions, it certainly depends on ...

Continue Reading

The Gobble-Gobble of Public Networks standard

Here in the US we celebrate and give thanks for the harvest on the fourth Thursday of November, one month after our Canadian brethren did.  Does security stop just because most companies in the US are closed?  Nope, in fact, I’d like to give a shout out to all of you folks taking the overtime pay to spend time babysitting your networks.  For you, I am thankful. The PCI Europe meeting has been the topic of several blog posts recently, and here’s yet another one inspired by the Q/A session at that meeting. The Technical Working Group (TWG) must cringe when the definition of public networks is asked in a crowd.  I believe that this was one of those phrases ...

Continue Reading

More Fun with Hashed PANs standard

Hashed PANs are a double edged sword.  Hashes seem to be coming up quite a bit lately, and in fact there was a question about hashed PANs at the PCI Europe meeting. Luther Martin at Voltage discusses one of the two main issues with hashing, and that is the ability to create rainbow tables whereby you can easily take a known hash value and back your way to the input used to create it.  Granted, one of the issues that exacerbates this for cardholder data is the limited keyspace in which card numbers are valid.  Remember they all start with published six digit BINs, and any number must pass a Luhn check.  But, before we dance on hashing’s grave, let’s ...

Continue Reading

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals1, and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs ...

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!