Topics on this page
Remember that if a system can have its cryptographic keys "recovered", you shouldn't rely on it to keep your information confidential! Beware commercial applications that claim to include methods for encrypting your files! There are tools that quickly break the toy "encryption" included in Microsoft Word, Microsoft Excel, WordPerfect, Quattro Pro, PKZIP, Paradox, Lotus 1-2-3, and many more. For tools to break this toy "encryption" see:
According to a Reuters story on 24 Dec 2002, the U.S. Transportation Security Administration foolishly relied on these toy systems, and anyone could download and decode "restricted" documents from their web server.
TrueCrypt has free open-source disk encryption for Windows, MacOS X, and Linux: http://www.truecrypt.org/
There are some disturbing holes in Microsoft's EFS (Encrypting File System) — see the details on my page on os-specific issues.
Absolutely no fault of Google, but some silly web administrators have misconfigured their servers. Instead of the web server being kept within the sandbox of /var/http/html (or wherever) on UNIX, or C:\inetpub on Windows, the server serves out everything on the disk.
Here's a whole page dedicated to clickable searches
like this:
http://johnny.ihackstuff.com/index.php?module=prodreviews
There are U.S. federal standards on how to overwrite media (typically magnetic, but also things like CD-RW) in a way that is considered secure. The short version is:
Something like all zeros, then all ones, then pseudo-random bits, and finally verify that you can read the same pseudo-random sequence back out. For more details on just how to do this on various types of media:
However, while NSA definitely is aware of DOD 5220.22-M and recommends its use, there is no such thing as "the NSA standard" or "the NSA method" above and beyond this. Just 3 overwrites (and then carefully destroy the media for maximum safety). Note that DOD services may have their own nomenclature for "DOD 5220.22-M".
If you really want to pursue this (because you think that your advisary is likely to apply atomic-force microscopy on your media to recover data after you overwrote it), read the 1996 paper: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html. Also be aware that physical disk geometry is automatically (and silently!) remapped by drive electronics during the media service life, meaning that sensitive data may have been written to spare cylinders. It can be difficult to verify that you are writing the patterns to all addressible locations. If you really care, use a hammer.
See CryptoHeaven for secure e-mail, online storage, and file sharing. Hmmm, shades of Neil Stevenson's cryptographic data haven in Cryptonomicon... http://www.cryptoheaven.com/
Secure MIME is gaining momentum as a standard for secure e-mail. See:
A proprietary solution for automated e-mail encryption is offered by WorldTalk, http://www.worldtalk.com
FIPS 140-1 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. See:
Cryptek makes the DiamondNIC LAN card, certified at B2 by NSA, plus LAN and WAN hardware solutions: http://www.cryptek.com
Fortezza (tm) cryptographic cards are made by:
VPNet Technologies, +1-408-445-6000, makes encryption boxes that sit between your LAN and your router.
Certicom Corp, +1-905-507-4220, makes the Certifax 3000, a secure FAX machine. http://www.certicom.com/certifax
nCipher makes a PCI-bus cryptographic accelerator card. http://www.ncipher.com/
Atalla network encryption hardware is sold by Compaq, see http://www.atalla.com/
Also see the COMSEC section on another page.
Authentication and integrity are at least as important, or even more important, as confidentiality in some applications. See my networking monitoring/sniffing page for this category.
For secure voice links, get real hardware.
Do not trust the "voice-scrambling" units sold via ads in popular magazines! Trivial trivial trivial for anyone who understands analog circuit design. Click here for a circuit to both do that trivial "scrambling" and to break it.
Also see my page with some GSM COMSEC details.
It's hard to figure out the laws of one country, let alone several. To export from the U.S., January 2000 finally saw some loosening of U.S. laws, but do not assume that anything goes!
Now, where are you exporting it to? France and Russia (well, at least on paper...) require you to register cryptography, and don't allow import of strong cryptography. Israel, Singapore, and Hong Kong all have differing rules of their own. Germany and Malaysia seem to regulate digital authentication. Saudi Arabia simply bans all cryptography. If you have to do anything with multinational applications of cryptography, check out the excellent Koop's Crypto Law Survey at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
Canadian export laws are found at: http://insight.mcmaster.ca/org/efc/pages/doc/crypto-export.html, and another (generally quite critical!) look at U.S. laws is at: http://www.eff.org/
Note carefully that the U.S. takes this very seriously indeed. I was caught up in an investigation into illegal arms trafficking based on export of Netscape, click here for the story. I wasn't in any trouble, but they heard that I'd seen it done. And the irony was that it was a U.S. government agency that was doing the violating...
Be very careful about reckless use of xhost! xspy is a tool for grabbing all keyboard and/or mouse input from an unsecured X display — click here to get a copy. This is very useful for convincing people of the insecurity of mis-used X! Make certain you understand xauthority, and avoid the reckless xhost +!
For the truth, see the RFC's and IETF documents describing secure IP. These are older documents and have been superceded by newer specifications, but they will be easier to understand as the explanation is simpler. Read these, and if that's not enough, then read the newer versions:
If you use PPTP, the Point-to-Point Tunneling Protocol,
do not use the Microsoft implementation,
which is now proven to be broken!
See:
— http://www.counterpane.com/pptp.html
— http://www.geek-girl.com/bugtraq/1999_1/0664.html
— http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html
Use the L2TP protocol instead.
There's a lot of concern over "spyware". To avoid most (but not all!) spyware, use any browser except for the horribly insecure Explorer. Most people like Mozilla's Firefox. Beware, browsers in general tend to be buggy (due to their complexity), they all have security problems, but because of both poor design and poor software production, Explorer has a much worse track record.
Most organizations find that preventing the use of Explorer solves much of their spyware/adware problems.
| Home Page | Site Map | Public Key |
|
|
|
|
|
|
| © Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache. Root password available here | ||||