A great little story came out a couple of weeks ago regarding the Federal Information Processing Standards (FIPS) Validation process which definitely bears repeating. In the article, the author compares not using FIPS Validated cryptography to “opening a savings account at a bank without the FDIC’s $250K-per-account guarantee. You could do it, and it might work, but why take the risk when a safer option is available for no extra charge?” Read more…
Data Security, Government
Secret KGC Recipe Stored on Encrypted Flash Drive
A recent press release from KFC notes that “the original copy of the KGC secret recipe is kept on an encrypted computer flash drive and safely stored in the high-security KFC vault – right next to Colonel Sanders’ handwritten Original Recipe.”
Government secrets, financial information, medical info, PII, and now secret recipes… What sort of confidential info do you store on your encrypted flash drive?
Data Security
Co-authored by Nate Cote and Emmett Jorgensen
Too often we, as security professionals, aren’t asking all of the right questions when evaluating a new product or service. We’ve all heard of “256-bit AES” encryption and products secured with RSA keys of “x” size. Encryption key sizes have become commonplace metrics for evaluating security products utilizing cryptography – and many times become one of the primary pieces of information that drives product adoption by an organization. A serious question we should be asking about cryptographic products, however, is related to the effectiveness of the Random Number Generator (RNG).
How many people truly gather any information on the randomness of the cryptography implemented in a product or module? More specifically, is there any analysis of the effectiveness of the RNG? This is, after all, the engine of the entire process and perhaps the most critical piece of a product using cryptographic functionality. Unfortunately, this information is nearly never discussed since most people don’t understand the importance of RNG quality, and therefore don’t ask about it. Read more…
Data Security
Kanguru’s own Matthew Losanno and Emmett Jorgensen contributed this article to Infosec Island outlining the importance of secure password storage. A few excerpts:
Essentially there are two versions to every password; the password that the user enters at the login screen, and the password stored on the website/server for authentication.
This, of course, begs the question; how secure is the location of the password stored for authentication?
As the recent Sony breach demonstrates, securely storing the password is just as, if not more, important than the strength of the password itself. In this article recently posted by CNET, Lulzsec, the group claiming responsibility for the most recent breach states, “This target gave us LOLs as it provided internal release dates of records, barcodes, sales reports, and plaintext Sony employee passwords.”
Read the full article here.
Data Security
DaveM at Advantage Computers Blog shows just how easy it is to set up a Kanguru Defender Elite secure memory stick. Steps include choosing an initial password and enabling the onboard antivirus or remote management options.
Residents of the UK can contact Advantage for more information on the Defender Elite and Defender V2 secure memory sticks.
Portable Storage
Kanguru is pleased to announce that the Defender Elite encrypted USB flash drive is now undergoing evaluation for Common Criteria EAL2+.
Common Criteria is an internationally recognized security evaluation program developed to ensure an information technology product or service meets a variety of robust government security standards. There are currently 36 nations, worldwide, which mutually recognize the merits of the Common Criteria Standard. Kanguru’s evaluation is being overseen by the German Federal Office for Information Security (Bundesamt fur Sicherheit in der Informationstechnik (BSI)).
“By undergoing the Common Criteria evaluation, we continue to position ourselves on top of the secure portable data storage industry.” said Don Brown, CEO of Kanguru. “Common Criteria, along with our fully manageable devices and current FIPS 140-2 Validations, distinguishes our products and services as the most secure, manageable and feature rich in the portable data storage industry.”
Read more.
Data Security, Portable Storage
The Boston Herald has details on a bank executive who resigned and then left with thousands of documents belonging to his former employer, Boston Private Bank & Trust Co.
In a suit filed in U.S. District Court on Monday, Boston Private Bank & Trust accuses former lending executive Todd Rassiger of stealing proprietary information that benefits his new employer, First Republic Bank.
The 24-page lawsuit alleges that before his resignation from Boston Private Bank & Trust Co., Rassiger attached personal USB flash drives to his bank-issued computer and downloaded more than 1,500 documents, many of which included highly confidential and proprietary information.
These days, companies need to be concerned with both external cyberattacks as well as the threat posed by insiders who have access to sensitive data. Our recent post highlights the need for endpoint security, which can block personal flash drives and keep an audit log of which files are downloaded.
We also highly recommend remote management capabilities for all portable devices like smartphones and storage devices. Kanguru’s Remote Management Console can be used to instantly revoke device access from employees who are leaving the organization. Their company-issued USB drive will be remotely disabled or deleted the next time it’s plugged in.
Data Security, Financial, Portable Storage
Today on InfoSec Island, you can read a new article by Kanguru contributors regarding the security of Solid State Drives (SSD). New technologies used in SSD’s makes it difficult to sanitize the drives of sensitive information.
Due to the difference in technology between flash based SSD’s and platter based HDD’s, currently accepted methods for sanitizing HDD’s such as multiple pass disk wipe and degaussing are not effective for securely removing data from SSD’s.
The difficulty in safely wiping SSD’s stems from the fact that SSD’s, and their cousin the flash drive both utilize solid state memory and a data writing technique known as wear-leveling. Wear-leveling is a method of controlling which flash cell has data written to it.
The article points out an effective method of ensuring that sensitive information can never be recovered by the wrong person.
A simple yet effective way to make sure that data is unrecoverable from an SSD is to utilize encryption. Using full disk encryption has a twofold effect. The first obvious effect is it will secure the contents of the data on the SSD.
Adding encryption, preferably at the hardware level, adds a layer of security to all your data and is a step towards meeting many of the security requirements currently needed in the financial, healthcare and public sectors.
Second, and equally important, when it comes time to retire the drive, the encryption key can be deleted, leaving the data inaccessible.
Read the full article here.
Data Security
State legislatures around the country continue to enact stronger and stronger data breach laws to protect their citizens against unlawful use of personal information. The two latest actions are in California and Massachusetts. See the Workplace Privacy Report to learn more about the new bills.
Massachusetts already has one of the toughest data security laws. Most other states have regulations that require public notification of data breaches and allow for civil or criminal penalties. Many, but not all of them, provide safe harbor from penalties if the data was properly encrypted.
Data Security
According to a new study by the Ponemon Institute, 75% of the energy and utility companies that were surveyed experienced a data breach within the last year.
“We were surprised that utility companies didn’t put a higher priority on issues like smart grid and smart meters, where there’s been a lot of concern about cyberthreats,” says Larry Ponemon, chairman and founder of Ponemon Institute. “Many of the people we talked to are still more focused on physical security than on cybersecurity.”
One possible attack vector being used against power companies is unsecured USB flash drives. This was reported to be a big factor in the spread of Stuxnet last year. Energy, utility and manufacturing companies should be taking extra measures to be sure only secure devices are plugging into industrial control equipment.
Malware, Portable Storage
Follow us on Twitter