The April issue of Technology Review magazine ran a fascinating story about the work of Marc Stevens, a PhD student at a school in the Netherlands. Using nothing more than a laptop and his PlayStation 3, Marc was able to force the MD5 (Message-Digest algorithm 5) digital fingerprint for an unrelated file to match that of a target file. He did this by appending junk data to the unrelated file. While this kind of "collision" is theoretically possible using almost any hash function, the possibility of intentionally forcing collision by such modest computing means is disturbing. Other flaws have been identified since MD5 was first released in 1991 by Ron Rivest, including the potential to fake SSL certificate validity. This points out the continuing (and expected) trend that as our knowledge of cryptography increases and computing power becomes less expensive, previously secure algorithms and technologies are being compromised at an ever more rapid rate.
In light of the foregoing, it is important to highlight the need for language in vendor and business partner contracts that includes a "floating standard" for security measures. Specifically, agreements in which sensitive data will be shared with a vendor or business partner should include two categories of information security protections. The first category relates to "fixed" security standards and should include specific details about the baseline security requirements for the vendor or business partner (e.g., SSL in transmitting data over the Internet, a defined level of encryption for databases, no use of removable media, data scrubbing procedures, etc.). The second category relates to "floating" security requirements or standards. This language is typically worded along the lines of "physical and logical security measures consistent with then current industry best practices" or similar language. The idea is to supplement the fixed standards with any evolving standards during the term of the agreement. In the case cited above, if MD5 was being used, the evolving standard may be to transition to a more secure hash function. The point is to ensure information security is not a static, but a dynamic, requirement in your vendor and business partner agreements.
@Weblookon Team: I just googled your "provably secure" Weblookon. Great stuff, found a manual to derive the key from one or two observed logins. That is by no means better than any password ...
Data recovery is a small budget item often overlooked by senior management and IT security professionals. In many cases, choosing a company’s data recovery vendor is done by the IT, the help desk, and sometimes by the end users themselves. The convenience of local outsourcers often trumps the selection of a vendor that meets data security protocols. Sad, but true. (I encourage you to test this theory. The results could be enlightening on so many levels.)
If a data recovery service provider’s network is hacked, and critical customer data is accessed, the company who contracted the service provider could be liable. Vendors who hold or handle sensitive information must be able to prove they can adhere to the same security standards as corporations and government agencies.
By engaging with data recovery service providers who can meet the following protocols, CSO and IT professionals will be assured that the integrity of their data will not be compromised during the data recovery process – and avoid the financial costs, regulatory penalties, productivity losses, and customer loyalty risks associated with a breach in data security:
• Annual audit results can be provided, verifying that the facility’s information technology controls and processes have been checked by information security professionals and are operating effectively to provide maximum data security.
• Bi-annual penetration tests results can be provided, verifying that network security testing and monitoring are integrated into the provider’s security program, and critical systems, (e.g., firewalls, routers, servers) are configured, maintained, and certified to be operating effectively.
• Service provider is cleared to offer High Security Service and can demonstrate chain-of-custody protocols that meet US Government standards. Contacts can be provided for Contractor Clearance Verification.
• Training certification documents can be provided, verifying that data recovery engineers have been trained by leading encryption software vendors to safely and properly recover data from encrypted files and drives.
Passwords have been used since thousands of years in different contexts. Be it to be allowed to pass over a bridge (Middle Ages) or to press onto the well known "red button" of something. Since we all work with PCs, everyone is familiar with these passwords. But today one must say, that secure protection using passwords is just like trying to win a Formular 1 race with an old Chevy. Its just dumm! Why not getting rid of this relict? What would be a substitution? Imagine there would be a fairy which enchants all passwords on this planet at once. No one would be able to login onto the PC, nor onto the Web, nor elsewhere... Mankind would be forced to invent something new for mass-use (we are talking on www). Tokens, eCards,....Biometry and all other hard- and software based known solutions would not be adequate because of their expenses. So only knowledge based solutions would fit. But as we said there are no password any more! So what else? There have been invented a lot of other methods of sharing secrets. One is one of the oldest method - steganography. Whats that? It is the science of communicating a secret without unmasking it. Of course there must always be two sides sharing the secret (eg.: Man and a Machine) but the big problem nowerdays is not the sharing but the transmission of the secret! Man in the Middle, Hackers, Phishers, etc. became the problem.
So just visit the Weblookon website to let you show and prove that there really is a substitution for the passwords. Just inform you and try it out now.
With best regards
Your Weblookon Team
Post new comment