Pages

Friday, December 27, 2013

Target: I'm calling bullshit!

Target got hacked.  Many times companies perform a triage as fast as they can when they are penetrated in such a manner.  I thought Target was pretty forthcoming in that they seemed to make public the incident fairy quickly.  That being said, I'm calling bullshit on the PINs not being exposed.

Their press release seems to not understand that there are different types of encryption that apply for different uses. 

http://money.cnn.com/2013/12/27/technology/target-pin/

Target wants the public to believe that the pins were not exposed.  They claim that the encryption renders the PIN safe.  The PINs were protected with 3DES.  3DES is a symmetric algorithm.  One key performs both encryption and decryption.  The PIN gets encrypted at the POS terminal, and remains encrypted through Targets internal systems until it is presented to the processor.  Then the processor decrypts it.  Original indications were that the breach was at the POS terminal, instead of the a central system that stores the card transactions.  Since we know the 3DES key is present on the POS term and the POS term is where the breach occurs, I would submit that the PINs are far from safe.  Potentially this key could be encrypted on the terminal, however, in memory it would have to be unencrypted to perform the encryption of the pin. 

I am not a designer of these POS systems, so I am not privy to all the safe guards employed at the POS Terminal.  All I'm pointing out is the type of encryption they are claiming to use seems inconsistent with the amount of security that a symmetric algorithm provides.

Thursday, August 29, 2013

What the NSA / Snowden fiasco tells us

So the NSA is uptight that their super secret spying system has been exposed.  I always wondered how much they listened in but was very shocked at the volume. Now, two encrypted email services have shut down rather than have to provide access to emails.  When we think about this what does this tell us?  There is no backdoor in encryption that the NSA has fostered...

For many years people have surmised that the NSA had built in secret backdoors into the NSA approved encryption algorithms.  When the US government decided to no longer classify these as munitions, many thought it was because the NSA had a backdoor key.   However, if there was a backdoor then the NSA would not have to resort to demanding access to the emails from lavabit.  They could just soak them in as they passed through the ISP and decrypt at their leisure.

Another effect of this is now much of the IT infrastructure in the rest of the world has started looking for non US based cloud solutions.  They are not interested in exposing their data or their customer's data to the NSA. That's lots of corporate money and potential tax dollars that just went bye bye.

I predict that NSA's pursuit of Edward Snowden will contribute to more encryption being used in the world.  This will nullify the NSA's desire effect of being able to read all the communications in the clear.


We will see what the future brings.

Monday, June 10, 2013

Think of the possibilities.

With all the uproar of the NSA PRISIM database, I have to contribute my 2 cents.  What would Joe McCarthy been able to do with this type of data?  McCarthy put the nation on edge by applying conjecture, circumstances, and association. 

Just think about this for awhile...  Let it sink in, and then call your congressman.

A Patriot is concerned for the country he loves.