Posts Tagged ‘encrpytion’

RockYou’s Sour Rhapsody

January 31st, 2010

RockYou.com, once a successful major application developer for popular social networking websites like Facebook and MySpace, is now singing a different tune. While the technology company has enjoyed great success toward the end of 2009 and secured a significant amount in funding for its projects, it experienced a major security breach as it was ushering in the New Year. As we mentioned in an earlier post, a ton of personal information was leaked. A poor SQL database exploit allowed hackers and other clever computer geeks access to RockYou’s entire list of users and their passwords.

While outside database access is never a good thing, the situation could have went a lot smoothly for RockYou if it had protected its information using data encryption software. The company’s storage method was a little ridiculous- according to Techcrunch: ”The database included a full list of unprotected plain text passwords. And email addresses!” Not only did the company fail to keep their the database protected, they didn’t even try to secure their user’s private information! As you can imagine, the fiasco is still hurting RockYou. The site had to put up an apologetic security notice and send out messages to every user, asking them to change their password and informing them of the cyber attack.

The Rocky Future

Though RockYou has already suffered a serious blow to its reputation in the world of the technology, the worst is yet to come. A class action lawsuit has been filed against the company, lead by Alan Clardige. The complaint alleges:

“While some security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ personally identifiable information by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers…

It is anyone’s guess whether the case will be heard and tried in the courts- it’s more likely that RockYou will work out some sort of settlement agreement- but the damage is already done. As a business that appears to primarily depend on investors for capital, RockYou has lost its status as a secure corporation and is likely to have trouble in the future.

Lessons to be Learned

An interview with a person claiming to be the RockYou hacker helps point out a scary truth- 30% of websites store their users’ login information without encryption, having plain text passwords on their database. While there’s no way to verify the statistic, it’s main message rings true. Most companies, even online businesses, are woefully unprepared for all the dangers of the Internet. Full disc encryption, something that should have been a standard for many years, is still unknown and unused by a multitude of companies.

It’s best to not have a shocking wake-up call like the security team at RockYou did. Choosing to purchase encryption software before disaster strikes will help avoid any P.R. disasters and let you stay out of the courtrooms. To try the proven technology we offer and protect your business, sign up for a free trial of Alertsec Xpress today!

Further Reading
 RockYou Raises A Whopper – $50 Million In Venture Capital [Techcrunch]
Serious SQL flaw could have compromised millions of Rockyou.com users [Net-Security]
One Of The 32 Million With A RockYou Account? You May Want To Change All Your Passwords. Like Now. [Techcrunch]
Social Application Developer RockYou Sued After Data Breach [Softpedia]
RockYou Hacker: 30% of Sites Store Plain Text Passwords [ReadWriteWeb]

2 comments »

Posted in Data Protection, Encryption, Identity and Information loss, Lawsuits and settlements

Tags:

Breaking into BitLocker

January 27th, 2010

Windows 7, Microsoft’s latest snazzy operating system, comes pre-installed with BitLocker for its Enterprise and Ultimate editions. BitLocker is a hard drive encryptions feature which is meant to help business users and customers who pay a premium enjoy a greater sense of security. BitLocker uses a combination of AES encyption in CBC mode and the Elephant diffusor to protect data. According to Microsoft TechNet, “BitLocker protects against data theft or exposure on computers that are lost or stolen, and offers more secure data deletion when computers are decommissioned.”

Unfortunately, that’s only part of the story; BitLocker isn’t quite as safe as Microsoft would like customers to think. In fact, just recently, software firm Passaware released a tool which can essentially crack the encryption! It also lacks a quite a few features that other providers offer and has several vulnerabilities. The BitLocker service is very new and fails to get any sort advantage over existing market leaders.

What Does Your Business Need?

If you’re managing an organization, you know that you have enough on your plate without having to worry about your computers’ security. You need a solution that works out-of-the box, a proven and successful encryption service which keeps your private information safe and won’t give you any trouble. You need a standalone feature which can’t be exploited and works without any overly complicated set-up.

More importantly, you need a service provider which specializes in its field. Using security companies that work exclusive on encryption technology grants many advantages. Security solution provider who’ve worked in the field for many years can offer a much more complete service than business that offer encryption as a bonus feature.

BitLocker’s Weakness

An analysis of BitLocker from WindowsSecurity.com summarizes our thoughts on the product:

For organizations that take security more seriously this technology still needs to mature substantially before being able to be used with confidence.

BitLocker’s greatest weakness is its integration with the Windows 7 operating system. Unlike our computer encryption software, which works alongside your OS, the BitLocker feature is coded directly into it, making the service less secure. BitLocker’s dependence on the operating system login credentials can be exploited, as can its complicated volume structure. BitLocker also inexplicably stores the Master Key (used for data recovery) unprotected on the hard drive. BitLocker also fails to automatically back up recovery information, meaning that the process has to be done manually.

If you’re serious about your company’s security, it’s a much better idea to go with the full disk encryption we offer. We go beyond BitLocker’s capacities, fixing all of its quirks and providing customers with additional support. For example, we offer a 24/7 remote password reset service, something BitLocker has never even considered. It’s unsurprising that’s the Pointsec technology we offer is certified and can be used by governments or the military, while BitLocker has no 3rd party certification. In business, it’s best to play it safe and choose a product with a 20 year history and proven record, rather than experiment with an inferior one.

Further Reading

BitLocker Drive Encryption [Microsoft TechNet]
First commercial tool to crack BitLocker arrives [ars technica]
Endpoint Encryption – Is BitLocker Enough? [WindowsSecurity]

1 comment »

Posted in Data Protection, Encryption

Tags:

Social Networks, Spam & Data Security

January 26th, 2010
Information Security Wordle: PCI Data Security...

Barely a week ago, a Georgian family logged on to their AT & T mobile Facebook account only to gain access to a stranger’s Facebook profile. The glitch was apparently caused by some server software connectivity error. Another spam attack on Facebook was Koobface, a malware bot that controlled Facebook profiles and turned them into infectious zombies. The targets were falsely lured to click on malicious links. In-fact, these stories are classic examples of security breaches caused due to access of social networking sites & related devices.

Social networking sites have really grown in popularity ever since the term Web2.0 was coined by great Tim O’ Reilly. If we just look at the numbers of Facebook, it has grown in leaps-and-bounds and has now tripled its user based to 350 million. However the rise of social web also exposes us to an increasing risk of malicious attacks by spammers.

The latest 2009 security report released by Cisco does raise some security concerns as according to it, the spam in 2010 will increase by a level of 30% – 40%.

If we look at some of the past incidents, the report doesn’t spring much of a surprise:

  1. Last year in November, researchers at Symantec’s MessageLabs branch had mentioned that the DonBot network had begun sending spam emails in large numbers which accounting for as much as four per cent of the total global spam.
  2. During the beginning of this year, Mcafee had raised similar concerns

The type of risks

There is a multitude of risks involved with activity on social networking sites. The worst of which could be your account credentials could be hacked leading to severe consequences. If a social networking is infected with a spam script and if you pick that up, it could lead to gaps in your data security. At times these attacks are so threatening that even you state-of-art encryption software & computer security software cannot protect you.

Going back to Cisco’s security report, it also provide key inputs on the potentially devastating combination of minor vulnerabilities, poor user behaviour, and outdated security software that can dramatically increase risks to network security.

According to Cisco’s fellow Patrick Peterson; “The blending of social media for business and pleasure increases the potential for network security troubles, and people, not technology, can often be the source.

How to stay secure?

While it can be very hard to keep yourself away, but a lot of common-sense can help you to avoid these risks from a user’s perspective.

  1. Never ever save your passwords on public computers.
  2. Do not write sensitive information such as credit card information, Facebook account details in public forums or groups
  3. If you receive an email invite from someone posing as your friend to join a social networking website, do not click on the link without doing a cross-check.
  4. While on Facebook, do not install unverified applications or those released from unknown developers.
  5. At best, try to ignore friend requests from unknown users.
  6. There’s every-chain According to Cisco’s fellow Patrick Peterson; “The blending of social media for business and pleasure increases the potential for network security troubles, and people, not technology, can often be the source.
  7. Make sure that the privacy settings are upto the adequate level on your favourite social networking site.

You can download the full-version of Cisco’s security report from here.

Suggested reading links

Top 8 Social Media Security Risks
Social Networking will be target for hackers in 2010
Social Networking: Latest, Greatest Business Tool or Security Nightmare

Reblog this post [with Zemanta]

No comments »

Posted in Data Protection

Tags: