Category Archives: Encryption

How Stuff Works: Encryption – HowStuffWorks " Computer "

Posted on by

When we use the Internet, we're not always just clicking around and passively taking in information, such as reading news articles or blog posts -- a great deal of our time online involves sending others our own information. Ordering something over the Internet, whether it's a book, a CD or anything else from an online vendor, or signing up for an online account, requires entering in a good deal of sensitive personal information. A typical transaction might include not only our names, e-mail addresses and physical address and phone number, but also passwords and personal identification numbers (PINs).

The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. It's extremely easy to buy and sell goods all over the world while sitting in front of a laptop. But security is a major concern on the Internet, especially when you're using it to send sensitive information between parties.

Let's face it, there's a whole lot of information that we don't want other people to see, such as:

Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like portable flash memory drives or external hard drives. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.

In this article, you will learn about encryption and authentication. You will also learn about public-key and symmetric-key systems, as well as hash algorithms.

View post:
How Stuff Works: Encryption - HowStuffWorks " Computer "

Major Security Bug Found in Web Encryption Tool

Posted on by

A security flaw found in a popular Internet encryption tool has sent companies and government agencies scrambling to plug the leak.

The bug in OpenSSL, a widely used encryption method, was discovered earlier this week by researchers at Google (GOOG) and cyber-security firm Codenomicon. According to a website created by Codenomicon, Neel Mehta of Google Security first reported it to the OpenSSL team.

In a notice on Tuesday, Amazon.com (AMZN) informed its Amazon Web Services customers that it applied fixes to resolve the OpenSSL vulnerability. Some of Amazons AWS services were unaffected.

Researchers believe Heartbleed, a nickname given to the OpenSSL flaw, already allowed cyber thieves to grab Yahoo (YHOO) usernames and passwords. The search giant said it addressed the problem for most of its properties, including Yahoo Search, Yahoo Mail, Flickr and Tumblr, by Tuesday afternoon.

As soon as we became aware of the issue, we began working to fix it, a Yahoo spokesperson said. Our team has successfully made the appropriate corrections across the main Yahoo propertiesand we are working to implement the fix across the rest of our sites right now. Were focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users data.

Based on a web tool from security firm Qualys, other major websites like eBay (EBAY), Google and Microsofts (MSFT) Outlook email service are not vulnerable to the Heartbleed attack.

The Canada Revenue Agency temporarily shut down its online services on Wednesday due to security concerns, just three weeks before an April 30 deadline for citizens to file taxes.

The security flaw was found in some versions of OpenSSL, a type of open-source software many websites use to encrypt communication over the Internet. Heartbleed could compromise usernames, passwords and credit card numbers that are stored on a servers memory.

Using the loophole, cyber criminals are able to request chunks of data. While they cant specify what information they want, such as one persons username and password, hackers can gather enough data to piece it together.

Alex McGeorge, head of threat intelligence at security firm Immunity Inc., said e-commerce transactions and other online activities remain secure as they happen, although hackers could recover enough information to decrypt data as its sent to and from a server.

Originally posted here:
Major Security Bug Found in Web Encryption Tool

Protect your business by encrypting the network

Posted on by

There has been a heightened interest in encryption over recent months, largely thanks to the Edward Snowden leaks showing US and British intelligence agencies were pouring their funds into cracking popular kinds of protection.

Much of the talk has focused on standards approved by the US National Institute of Standards and Technology (Nist), especially the much-derided Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG). Secure Sockets Layer (SSL) protections have also faced scrutiny, with an OpenSSL flaw causing something of a panic among security professionals.

Little attention has been given to encryption across routers and switches, however. Thats despite a rise in router malware, such as the Linux-focused Darlloz worm uncovered towards the end of 2013.

Yet enabling certain kinds of encryption across different points of the network, rather than focusing solely on applications, can provide significant protection from the most advanced of attackers. But many still arent doing this, says Peter Wood, chief executive officer of security consultancy First Base Technologies.

Theres no question that transmitting information in plain text remains a significant vulnerability in most organisations. As ethical hackers, we often start our client engagements by examining network data and discovering significant information from a simple packet-sniffing exercise, says Wood.

Peter Wood, First Base Technologies

Providing layer 2 encryption at the switch and router would make our activities a lot harder, and thus also the criminals life in a real-world attack. Everyone is used to the idea of SSL for web-based transactions, but little thought is given to encrypting internal traffic or indeed to other types of traffic on the internet.

Encryption of network traffic by a gateway device is seen by many, including Cisco, to be the best way to ensure protection of communications between local networks. Using a gateway means enterprise traffic will be encrypted regardless of protocol and should bring reduced complexity.

Network-based encryption and application-layer encryption are not mutually exclusive either. They can, and often are, used together to apply two layers of encryption to data traffic.

Talking specifically about the network, Wood recommends enabling two types of protection: IPsec and MACsec.

The rest is here:
Protect your business by encrypting the network

‘Heartbleed’ bug could undermine public trust in web

Posted on by

The "Heartbleed" software flaw that triggered alarm bells around the world could fundamentally undermine two decades' worth of efforts to persuade consumers they could trust the Web to securely handle such tasks as buying a pair of shoes and applying for a job.

The discovery of a gaping hole in a piece of software that was supposed to protect personal information from hackers left websites rushing to fix the bug while consumers struggled to understand what kind of risks they suddenly faced by venturing online.

That angst intensified, in part, because no one knows for sure just how much damage the Heartbleed bug had caused, or how widely hackers had managed to exploit it. Security researchers fear that it could take years to repair not just the bugs but also the trust of users.

"This is very bad, and the consequences are very scary now that it has been disclosed," said Phil Lieberman, president of Los Angeles security management firm Lieberman Software. "The fact that this code is on home and commercial Internet-connected devices on a global scale means that the Internet is a different place today."

Heartbleed is a flaw that was found in OpenSSL, a technology that provides encryption for about two-thirds of all servers on the public Internet. For most people, the technology shows up as a tiny green padlock icon next to the address field in a Web browser. It is supposed to signify that the password or credit card information typed on the website is secure.

But the bug essentially enables any hacker with the most basic of skills to use a simple piece of software to gain access to the IDs and passwords of a site's users in just a few minutes. Word of the flaw burst into widespread public view Tuesday when Tumblr, which is owned by Yahoo Inc., disclosed that it had been affected and urged users to change their passwords.

In fact, the flaw was discovered several weeks ago by Neel Mehta, a security researcher at Google Inc., and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.

According to a person familiar with the details, Google immediately patched its own site and began notifying partners and the open-source community about the problem. In the meantime, two Google developers, Adam Langley and Bodo Moeller, helped develop a fix that was released Monday.

It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running. The security hole may have existed for at least two years, security experts said.

In addition to updating OpenSSL, websites will need to revise many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.

Here is the original post:
'Heartbleed' bug could undermine public trust in web

The Wall Street Journal: Heartbleed bug found in Cisco routers, Juniper gear

Posted on by

By Danny Yadron

The encryption bug that has the Internet on high alert also affects the equipment that connects the Web.

Cisco Systems Inc. /quotes/zigman/20039/delayed/quotes/nls/csco CSCO -2.03% and Juniper Networks Inc. /quotes/zigman/202982/delayed/quotes/nls/jnpr JNPR -1.82% , two of the largest manufacturers of network equipment, said Thursday that some of their products contain the Heartbleed bug, meaning hackers might be able to capture user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet.

Many websites -- including those run by Yahoo Inc. /quotes/zigman/59898/delayed/quotes/nls/yhoo YHOO -4.22% , Amazon.com Inc. /quotes/zigman/63011/delayed/quotes/nls/amzn AMZN -4.43% and Netflix Inc. /quotes/zigman/87598/delayed/quotes/nls/nflx NFLX -5.18% -- quickly fixed the hole after it was disclosed Monday. But Cisco and Juniper said the security flaw affects routers, switches and firewalls used in businesses and at home.

These devices likely will be more difficult to fix. The process involves more steps and businesses are less likely to check the status of network equipment, security experts said.

Bruce Schneier, a cybersecurity researcher and cryptographer, said, The upgrade path is going to involve trash can, a credit card, and a trip to Best Buy.

To be sure, the products available at retail stores now likely were shipped before the bug was revealed on Monday, and may also contain the defective software, from an encryption code known as OpenSSL.

Companies often use firewalls and virtual private networks to protect their computer systems. But if the machines that run the firewalls and virtual private networks are affected by the Heartbleed bug, attackers could use them to infiltrate a network, said Matthew Green, an encryption expert at Johns Hopkins University.

Read the full article at WSJ.com.

More From MarketWatch:

Originally posted here:
The Wall Street Journal: Heartbleed bug found in Cisco routers, Juniper gear

Heartbleed bug may expose masses of sensitive data

Posted on by

By Danny Yadron

An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes.

( Have you been affected? Use this tool to check to see if a website youre visiting is open to attack via the Heartbleed flaw. And read this FAQ from the company that discovered the flaw.)

The bug, nicknamed Heartbleed by researchers at Google Inc. /quotes/zigman/30194416/delayed/quotes/nls/goog GOOG +0.22% and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said.

On Tuesday, website operators, including Yahoo Inc., /quotes/zigman/59898/delayed/quotes/nls/yhoo YHOO +2.10% raced to fix the problem. A Yahoo spokeswoman said the company had made the appropriate corrections. Several researchers said earlier that they had been able to capture Yahoo usernames and passwords.

Many other major websites, such as Google, Amazon.com Inc. /quotes/zigman/63011/delayed/quotes/nls/amzn AMZN -0.24% and eBay Inc., /quotes/zigman/76117/delayed/quotes/nls/ebay EBAY +0.93% appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc. /quotes/zigman/12094171/delayed/quotes/nls/qlys QLYS -0.47%

The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops.

Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. When a website is using these forms of encryption, a padlock appears with the Web address in a browser.

Web servers that use the affected versions of the code store some data unprotected in memory. Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.

Anyone can reach out to the Internet and scoop out of the data, said Thomas Ptacek, a researcher at Matasano Security in Chicago. I can be in my office here. I can be in Estonia.

Go here to see the original:
Heartbleed bug may expose masses of sensitive data