In previous posts, we have talked about key strength and protection of encryption keys, but for those who are not directly involved in the line of IT, encryption terminology can be slightly confusing and bewildering at times.

When it comes to security, often terminology is over-complicated and almost never simplified to a level in which the average end-user can understand.

Cryptography is one of those areas in which everything has an acronym and nothing seems to stay the same for any length of time.  With numerous forms of encryption available, making an informed decision can be difficult or near on impossible at times.

When it comes to encryption, generally there are three factors involved.

1.  Sensitive data

2.  An encryption cipher

3.  An encryption key

This is breaking it down into an elementary level, but essentially these three parts are required for any form of cryptography.

Ciphers and encryption are two parts of the cycle in which people need to constantly be aware of changes and evolutions in cryptographic techniques.

A cipher is essentially a mathematical algorithm, which uses some form of factoring to encrypt sensitive data based on an encryption key.

This encryption key is exactly what it sounds like – it is the key to unlocking encrypted information and most undoubtedly the most important asset of any corporation, which relies on cryptographic security.

Keys are essential in ensuring security, and often they are the only vulnerability of the system not because of the technology, but because of end-users and their reluctance to use strong keys.

With the advent of wireless networks and other technologies, we are increasingly exposing our data to the risk of theft and interception by third parties with nothing more than a notebook computer and some freely available tools, which can be acquired online.

Whilst most home users and many organizations are now aware of the security implications of having unsecured private networks, the truth is that not many are aware of the limitations and the vulnerabilities that exist with wireless communications.

Wireless networks using older encryption technology are easily attackable using brute force attack.  By snooping encrypted packets for long enough, potential intruders can extrapolate the encryption key and gain access to the network.

This means the whole network becomes compromised and as a direct result of poor encryption standards, e-mails and other communications can be intercepted with ease.

To secure wireless networks, it is recommended to ensure that more popular and recognized encryption protocols are used and that key strength is strong enough to mitigate the risks of brute force attack.

However, many networks can still be breached so it is important to ensure that networks offer multiple layers of protection.  One way of protecting data, file transfer and VOIP communications that occur on a wireless network is to ensure that third party encryption software is used that effectively ‘double-encrypts’ any sensitive data being broadcasted wirelessly.

This ensures not only that the information is secure, but also reduces the value of data which is sniffed off the air, as it is essentially worthless due to the fact it is encrypted.

Various world governments have started significant research into one-touch hacking tools, which can be utilized on the battlefront.  These tools are being designed to be able to target weaknesses in Wi-Fi networks as well as intercept VoIP communications and satellite relays.

Following recent developments, the United States government has publicized the fact that it is researching such technologies in order to empower and increase the role of the battlefront soldier.  This technology should enable users to exploit weaknesses in security, control power grids and manipulate security systems remotely.

This is of great concern to any organization because this technology is just a showcase of what is actually currently available online.  Things such as packet sniffers, WEP and WPA-PSK key decryptors have been available online from one source or another for years and it is only now that the government is starting to adopt the practices of experienced hackers and adapt them for battlefield use.

The modern organization faces a real threat of digital attack on a daily basis, and with tools on this being developed by the government; one can only imagine what is available to the digital underground.

Traditional security measures in the forms of IDS systems, firewalls and others are no longer adequate when it comes to protecting security.  Organizations need to stop thinking about ‘if’ they are breached, but ‘when’ they will be breached.  By changing company focus from that of prevention to limitation ensures that should the worst-case scenario occur, companies can still minimize risk by ensuring all assets are secure with technologies such as advanced Encryption amongst others.

Gold Lock Enterprise not only serves as a military grade voice encryptor, but actually works to ensure that all file and text communications are also protected from hackers at a level equivalent to that in use by the NSA and worldwide military organizations.

Reports are in that T-Mobile, the ever popular US communications firm has recently became victim to the theft of highly sensitive data on operations, customers and also financial records.  According to postings on the internet, this information has already made its way to the underground auctions where it awaits the highest bidder.

T-Mobile has recently confirmed that they were the subject of attack, but they have denied any sensitive information has been stolen.  Three days after the attacks, T-mobile released a statement to the press in response to a channel insider inquiry stating that “protection of our customers’ information and the security of our systems is paramount at T-Mobile.” T-Mobile went on to admit that ‘a document’ had been stolen and that an investigation is underway.

The hackers are yet to substantiate their claims with anything other than the list of ‘servers’ which T-Mobile has already admitted to losing.  Perhaps the attacks never took place, or perhaps T-Mobile is deliberately keeping quiet?

T-mobile does not have the best reputation when you look at their track record. In 2005, it emerged that they were the subject of another massive attack, in which a hacker managed to access the sensitive information of T-Mobile’s full subscriber base of over 16 million customers.

As security analysts and encryption experts, we have to ask the question about both attacks: – Why does T-Mobile not adopt more rigorous multi-layer security?  Is encryption not at the heart of their policies?  After all, if they followed an appropriately multi-layered security policy, they would be able to mitigate the risks of any data theft.

We live in an age where there is a constant battle of competition going on amongst hackers.  Corporations are the victims, and many are literally blind to the risks, until they find out someone has just stolen the information of 16 million customers.   That is a lot of credit cards…

With the recent publications trying to publically denounce the safety of Wi-Fi hotspots, many travelers and business people aren’t actually taking a great deal of notice.

After all, when was the last time the cafe had a notice announcing that the information you transmit may be visible to others?  The truth is, while people are now smarting up to the dangers of using unsecured private networks, they are still placing large amounts of trust in the highly dangerous public Wi-Fi networks.

People are constantly under the assumption that because many of these networks are a ‘paid’ service, that they are secure.  But look at the basic facts.  It is a shared medium.  Airports, coffee shops and shopping malls are rapidly becoming major sources of targets for cyber criminals who only need to sit outside with a laptop and a network card.

However, whilst it is always recommended that sensitive data is never exposed to a non-trusted network, the advent of encryption and virtual private networks now means that companies can afford themselves an extra layer of security.

But, virtual private networks do not mitigate against one of the biggest threats faced by business travelers and individuals – the risk of complete hardware theft or loss, which can cost organizations in excess of $20,000 per system, compared to the relatively small expense of integrating file and disk encryption into their security policies.

These days, many WI-FI networks are being monitored by hackers.  Perhaps the person sitting next to you at the airport is secretly recording every byte you transmit?  Maybe they are going to steal your thumb-drive the next time you are not looking?

The idea that people can live without encryption these days is absurd.  The risks associated such as cyber snooping, and the theft of high value information is great in an age where we are reliant on wireless communications and portable computers.

Recently, an industrial company in Texas has suffered the consequences of lax security policies when hackers managed to steal over $1.2 million dollars in a mere 30 minutes.

Jugal Malani, owner of the Sugar Land Company located in the USA recently received the blunt end of the stick, when his network was exposed and his credit lines were exposed.

The attacks took a mere 30 minutes to perpetrate and those responsible have still not been located.

In response to the attack, Mr Malani expressed complete bewilderment stating he never believed his firm was vulnerable, and subsequently he has upgraded his security.

Constantly, smaller and smaller corporations are facing the brunt of experienced hacker’s intent on breaching network security.

These days, it is no longer a case of having to be a multi-national corporation to be vulnerable, but any organization risks being a target if appropriate security measures are not enforced.

This is an example of a worst-case scenario, but one that is preventable with modern security policies.

Utilizing things such as encryption on files and sensitive calls ensures that no sensitive information is ever available for drive-by hackers.  Drive-by hackers, or hackers that simply roam the internet looking for weak targets are now responsible for a growing majority of attacks on business networks, and they are often escaping without charge due to lax network security that means there is not sufficient evidence left behind to apprehend them.

Security needs a huge paradigm shift from that of a single point of defence into a multi-layered model, which means that should attackers breach one layer of security, they still have many more until they can gain access to sensitive material, and each attempt will leave more and more incriminating evidence.

Next time you are trying to save $2000 on security, just think about this story because it could just end costing two million.

The state of Virginia has recently came under the international spotlight after it apparently became under attack by an anonymous hacker who claims to have stolen around 35 million prescription records of those residing in the state.

This supposed vulnerability has still not been identified, and state information security professionals are still dumbfounded as to whether or not this ‘hacker’ is the genuine article. Other than a ransom demand for over $10 million dollars, they have received little in the way of evidence other than the claims that the hacker has managed to delete certain files and create an encrypted backup.
Whilst the state remains uncertain as to the hackers’ authenticity, the fact remains that they are neither confirming nor denying the threat. Perhaps this is the biggest point of confusion as at this point any organization with appropriate security measures in place would be able to at least partially refute the claims.

So far, the only evidence that this ‘hacker’ may be a fake is because they claim to have social security numbers. The state of Virginia has made an announcement that states that the information they held had no such information, and that the hacker ‘may’ be a fraud.

Whilst we allude to the fact that this may be a fraudulent attempt to extort money, the state of Virginia cannot be certain. In this age of cyber-privacy and information security, the state of Virginia should be more accountable for the information they are holding. What is concerning is their incompetence in dealing with this threat and the clear fact that their security policies are inadequate to be able to ‘check’ the records and ensure that data is secure.

It is ironic that the hacker in this example apparently used encryption against the state. If the state happened to be using encryption against the hacker then perhaps this would never have happened.

We are living in a world where almost a third of all businesses and home users in America are utilizing some form of VOIP technology. This may be to empower whole calling centers, or alternatively it may be on a smaller scale for inter-departmental communication.

2008 saw a record growth year in VOIP technology, and it also saw attacks against VoIP networks increase exponentially. As a result, many corporate networks whilst protected against internet-based attacks are still vulnerable against VOIP targeted breaches.

It is surprising to see the lackadaisical approach to security that many organizations are taking. In three years, analysts predict that VOIP will overtake traditional PSTN technology, and given the vulnerabilities of VOIP, organizations need to ensure that they have acted appropriately in order to mitigate the security risks.

What are the Security Risks of VOIP?
VOIP is an IP-based technology. Given the fact that data travels throughout the internet, this means that it is vulnerable to multiple points of interception unlike that of PSTN communications, which have remained relatively, secure in comparison.

IP Data is Vulnerable to Eavesdropping. Because many businesses are using VOIP equipment to conduct sensitive business transactions, they are becoming victims of direct man-in-the-middle attacks. Such attacks are preventable with good security policy.

VOIP Networks are Vulnerable to Direct Attack. Malicious attacks are increasing that are targeted specifically to VOIP networks. These attacks normally flood VOIP traffic to try to cripple the organizations infrastructure and effectively it allows attackers to gain unlawful access to information systems.

Given the main risks of VOIP technology, organizations have had to develop truly multi-layered security policies, which can safeguard voice and data systems at the same time. A typical multi-layered security policy does not aim to stop attackers entirely, but uses technologies such as VOIP encryption and file encryption to ensure that if networks are breached, then sensitive information will never be vulnerable.

Reports have recently surfaced that the US National Archives recently lost over a terabyte of personal information on an unencrypted hard disk drive. This information is said to have contained highly sensitive details such as social security numbers, personal addresses and also highly classified procedural data regarding White house and secret service operations.

Reportedly, this disk went missing some time ago during building renovations and the FBI is apparently only now conducting a criminal investigation, even though reports state that the drive went missing over 5 month period.
This could essentially make it impossible to track down the source of the loss, and it also begs the question to be asked – “Why did it take so long to notice?”

Statistically speaking, a one terabyte hard drive could contain information on over half a million citizens and for security reasons; the National Archives are not being fully transparent as to the full details of this loss.
This is just another example of how governments continue to fail with nonsensical approach to data security. The fact at the matter is that the Information security professionals responsible for the US national archives should be held partially responsible for this loss.

Security experts have publically deplored the loss stating that there is no reason why a government department such as the National Archives should not have rugged security policy. The above-mentioned breach is illustrative of something a small company may suffer from, but given the sensitivity of the data on this device, some level of disk encryption should have been used as a precautionary measure.

This is just an example of how there is very little in the way of laws to protect sensitive data. Whilst the government managed to lose 1TB this time, it is not the first time that data has been lost or stolen.

It will also not be the last.

Nokia 1100 - Firmware Encryption Keys Hacked

Recently, security groups have been receiving increased reports of hackers successfully intercepting SMS messages and subsequently gaining access to banking details of individuals.

This shocking revelation came to light just recently, when the security group “Ultrascan” managed to acquire not just the full working details of this exploit, but also all the hardware required.

This attack relies on the Nokia 1100 telephone, which was one of the few Nokia phones in which the firmware encryption keys have reached public domain and thus it has successfully been decrypted, reverse engineered and modified.

Hackers have managed to effectively clone a mobile phone by hacking this firmware and then by using it to eavesdrop on SMS messages, were able to intercept secure banking information and breach online security.

When used in conjunction with key loggers and other snooping tools hackers are effectively bypassing the once thought rugged security methods of European online banking.

This vulnerability essentially involves rewriting the firmware of a cell phone, and then using it as a secret receiver to eavesdrop SMS messages.

GSM security has been vulnerable to attack for a while now and the old GSM proprietary encryption algorithms have already been breached on multiple occasions.

For the average hacker, obtaining the devices is out of the question, but organized gangs of criminals who are already in the process of cloning SIM cards and conducting online fraud already are actively seeking these cellular devices.

These devices are now appearing on the black market for sale to criminals who are looking to use them to conduct cyber fraud in online banking.
Given the latest vulnerability with SMS messages, then perhaps banks and consumers need to start thinking about using some sort of encryption for all GSM communications, not just GSM voice data.