Encryption

What is PGP Encryption?

Photo by Zan on Unsplash

PGP encryption (Pretty Good Encryption) is a data encryption program used to authenticate and provide cryptographic privacy for data transfers.

PGP encryption is used to secure all forms of data and digital transmissions. It’s capable of encrypting and decrypting:

Text messages

Emails

Computer files

Disk partitions

PGP is a quick-to-implement and cost-effective encryption method.

What’s the Difference Between PGP and OpenPGP

PGP was originally created to protect files posted on Bulletin Board Systems (BBS). This computerized messaging system allowed users to post messages onto a public message board using a dial-up modem. Bulletin Board Systems were used until the mid-nineties. The retirement of this technology led to PGP being sold multiple times before it was finally acquired by Symantec in 2010. OpenPGP (also known as Open-source PGP, was created by one of the PGP’s inventors, Phil Zimmerman, to overcome the patent restrictions preventing PGP’s liberal use. OpenPGP Standard is now the Internet Engineering Task Force (IETF) approved standard that permits any company to develop and sell PGP-compatible products. GoAnywhere Open is an example of one such solution that offers PGP encryption free of charge. GnuPG is a variant of OpenPGP. It’s also free, but its algorithm differs slightly from PGP. The downside to using this encryption standard over the Symantec-owned PGP is that it doesn’t come with technical support – the bane of all open-source software.

Benefits of PGP Encryption

PGP’s current popularity is due to its original availability as freeware and its long history – originally created in 1990. It’s now the standard form of encryption in finance, healthcare, technology, and other highly regulated industries.

PGP encryption offers the following security benefits:

Reduces the risk of data loss prevention.

Prevents information from being modified during the transfer.

Protects sensitive information from unauthorized access.

Allows the secure sharing of information with multiple parties.

Verifies the authenticity of email senders.

Prevents the recovery of deleted sensitive data.

Ensures email communications are not intercepted.

Protects emails from malicious compromise.

Very blunt learning curve – no training is required to achieve PGP encryption proficiency.

How Does PGP Encryption Work?

To secure sensitive data, PGP combines data compression, password hashing, symmetric-key cryptography, and public-key cryptography.

This feature list is a combination of two file encryption types:

Symmetric key encryption

Public-key encryption

The encryption algorithm can protect data in transit and at rest – especially when coupled with a threat detection solution. PGP assigns users at each end of the communication trajectory with randomly generated public and private keys. For sent messages to be successfully decrypted, they must be authenticated with specific private keys that only intended recipients will have.

The end-to-end process of PGP email security is described below:

Sender A requests to send Recipient B a secure email.

Recipient B generates a random PGP public key and private key.

Recipient B keeps the private key and transmits the public key to Sender A.

Sender A uses the recipient’s public key to encrypt the message before sending it.

Recipient B receives the encrypted message and decrypts it with its retained private key. ​

Recipient B reads the message.

This process prevents anyone without the correct key pair from decrypting intercepted messages.

December 29, 2024 by Cryptography 0

What are Best Practices for Data Security?

Photo by Dayne Topkin on Unsplash

Data security relies on defense-in-depth, so there are many parts to a best-in-class data security program. But what is sufficient in one industry may be criminally negligent in another.

Best practices should be adopted to achieve the industry’s minimal expected data security level.

1. Data Governance

Data governance is data management 101. Information is grouped into different buckets based on its sensitivity and legal requirements. To limit the risk of data exposure from leaked credentials, users should only have access to the least amount of data they need to do their job.

2. Secure Privileged Access Management

Secure Privileged Access Management (PAM) is integral to a data security strategy. PAM empowers organizations to control the permissions of all users so that sensitive data and intellectual property documentation are only accessible by those that absolutely require it. With a secure PAM strategy, cybercriminals will have difficulty accessing all sensitive data types if they breach an IT boundary. This is especially an important security control for highly regulated industries like healthcare.

3. Encryption

Encryption can protect against man-in-the-middle attacks and make it harder for potential attackers to gain unauthorized access to stored or in transit information. Never store sensitive data in plain text and avoid providing login credentials to websites that lack SSL certificates.

4. Education

Teach staff how to recognize common cyber threats to transform them into human firewalls Some of the most popular cyber threats staff should be aware of include: Phishing attacks, Email spoofing, Domain hijacking, Ransomware attacks, and Different forms of malware attacks, Social engineering attacks.

Besides cyberattacks, staff should also be trained in best cybersecurity practices such as avoiding public Wi-Fi networks and the basics of OPSEC and network security. The complexity of cyberattacks is rapidly rising, so it’s no longer acceptable to solely rely on antivirus programs to prevent malicious code injection. Cybersecurity train needs to become a standard inclusion in staff onboarding programs.

5. Data Security Testing

Test your organization’s data security by sending fake spearphishing campaigns and dropping USB traps around the office. Understand that it is easier to prevent data breaches than rely on digital forensics and IP attribution to understand what happened once a data breach has occurred. Once exposed, data can easily end up for sale on the dark web; many of the biggest data breaches end up there.

6. Incident Response Plan

When your security is compromised, the last thing your organization and your customers need is panic. An incident response plan can limit the amount of data exposed and outline clear next steps to recover lost data or close the attack vector.

7. Regular Data Backups

Ransomware attacks targeting data centers on-premises or accidental deletion devastated business continuity, but this can be avoided with regular backups and a Data Loss Prevention (DLP) program.

8. Secure Deletion

Avoid hoarding data no longer in use, including physical data like folders or paper documents. That said, comply with industry guidelines or regulations that dictate how long you must store data.

9. Third-Party and Fourth-Party Vendor Monitoring

Data breaches are often caused by poor security practices at third-party vendors; you need to monitor and rate your vendors’ security performance. An ideal solution should include a real-time automation component to security posture lapses to ensure that attack surface disturbances are rapidly addressed. According to the latest data breach report by IBM and the Ponemon Institute, automation controls could reduce data breach costs by up to 80%.

10. Accidental Data Exposures and Leaked Credentials Monitoring

Data isn’t always exposed on purpose; this is why it pays to continuously monitor your business for accidental data exposures and leaked credentials.

November 5, 2024 by Privacy 0

How to Store Data Securely on a USB Flash Drive

Photo by Lc on Unsplash

It is strongly advised that you avoid storing confidential information on a USB flash drive and choose more secure storage devices to ensure the safety of your data. The compact size of USB flash drives makes them convenient to carry but also increases the chances of losing or stealing them. This vulnerability poses a severe threat of data loss, leaks, and breaches, which can result in significant financial loss and damage to the reputation of organizations.

Using a flash drive, follow these 7 tips to secure your data.

  1. Buy an Encrypted USB.

Encryption secures sensitive data by making it accessible only to those with a decryption key. When purchasing a flash drive, opt for a military-grade one with 256-bit AES hardware encryption, the most robust algorithm.

Other features to look for in an encrypted USB flash drive include:

  • Tamper-proof protection
  • Anti-virus scanning
  • Brute-force protection
  • Password protection
  • TAA Compliance
  • Remote management capabilities
  • FIPS 140-2 Certification (Level 3)
  • Compliance with industry security standards, such as HIPAA, SOX, and GLBA.

2. Use USB Encryption Software.

Microsoft Windows users can use BitLocker to encrypt their flash drives instead of buying an encrypted flashdrive. Note that encryption hardware provides better security than software.

Microsoft’s instructions for enabling BitLocker are available below:

View instructions for enabling BitLocker in Windows 10
View instructions for enabling BitLocker in Windows 11‍

3. Have a Backup

You may only recover the stored data if your flash drive is recovered, stolen, or damaged. Even if a lost or stolen flash drive is returned, you shouldn’t use it again as it could potentially have ransomware or another type of malware installed. The best assurance of recovering the data on your flash drive is to have a backup of all files saved in another storage location, such as cloud storage.

4. Delete Data After Use.

After you have saved, edited, and transferred your data from a USB stick, it is recommended that you delete it immediately. You should then remove the flash drive from the USB port and store it securely to prevent any possibility of losing it or having it stolen.

5. Install Anti-Virus Protection

With different types of malware emerging daily, keeping your software up-to-date is crucial. Use antivirus software that offers malware protection across all endpoints, including hard drives, USB devices, and SD cards – one can infect all.

6. Keep Software Up to Date

Zero-day exploits take advantage of unpatched software vulnerabilities – a common attack vector that can have devastating consequences. Cybercriminals can easily access, edit, and steal data from vulnerable systems and devices, including USB storage. Installing software updates as soon as possible prevents cybercriminals from taking advantage of these vulnerabilities. Most operating systems, including Microsoft Windows, Mac OS / Apple iOS, and Linux, offer auto-updates to ensure you remain protected.

7. Use Alternative Storage Methods

Flash drives, there are better answers than not to take your data security seriously. Even the most secure USB drives differ from modern data storage methods, like cloud storage. Cloud services offer many innovative security features, such as the Secure Access Service Edge (SASE). SASE is a cloud security model that leverages firewalls, cloud access service brokers (CASBs), secure web gateways (SWG), and zero-trust network access (ZTNA). Cloud security mechanisms include Cloud Security Posture Management and Cloud Infrastructure Entitlement Management (CIEM).

Despite their strong security capabilities, like all third-party vendors, cloud services carry third-party risks and other risks specific to their functionality. Organizations and individuals must conduct due diligence to ensure their cloud providers are following appropriate data security requirements.

October 18, 2024 by Privacy 0

What is a Seedbox?

Photo by Taylor Vick on Unsplash

A seedbox is a dedicated, high-speed server for downloading and uploading files. Most people rent seedboxes to achieve very fast torrent or Usenet transfers. Typically, you will see speeds from 100Mbps (8 MB/s) to 10Gbps (1250 MB/s) on a seedbox.

A seedbox also allows you to avoid ISP throttling and bypass eavesdroppers like the RIAA or MPAA.

Today, there are many seedbox providers — most are run by individuals or small companies. These seedboxes have some of the best feedback from customers:

How To Use A Seedbox

Generally, seedboxes are set up so that you can install Usenet and torrent applications quite easily.

Once the files are downloaded to the seedbox, they can then be downloaded to your computer via HTTP, FTP, SFTP, or rsync protocols. You can also directly stream the media from the seedbox with an application like Plex.

Some seedboxes may provide VNC connection or remote desktop protocol on some Windows-based machines. This allows many popular clients to be run remotely.

Seedbox Providers

These are my recommended seedbox providers:

  • RapidSeedbox offers root access and many apps available as “one click installs” including Plex and OpenVPN. Accepts bitcoin, 14 day refund policy. €15 euro ($18 USD) month-to-month.
  • DediSeedbox also offers OpenVPN and Plex as a “one click” install. Root access to your own VPS. Good disk space allowances (1TB with the $15 per month plan).
August 18, 2023 by Privacy 0

Is AES secure?

Photo by FLY:D on Unsplash

In 2000, after a very thorough and open selection process, NIST announced that AES (formally known as Rijndael, after one of its creators) would replace DES as its recommended “unclassified, publicly disclosed encryption algorithm capable of protecting sensitive government information well into the next century.”

Based on NIST’s recommendation, the US government uses AES to secure its classified information:

“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require the use of either the 192 or 256 key lengths.”Brute force attacks

The most basic form of attack possible on any encryption cipher is a brute force attack, which involves trying every possible key combination until the correct one is found.

As we discuss in Privacy Decrypted #3: Can encryption be broken? Fugaku is currently the most powerful (known) supercomputer in the world. If it dedicated its entire output to the task, it would take Fugaku 12 trillion years to exhaust all possible combinations for AES-128.

AES-256 is 340 billion-billion-billion-billion times harder to brute force than AES-128. To put this into perspective, the universe is 14 billion years old. It is, therefore, safe to say that even at its lower bit sizes, AES is highly resistant to brute force attacks from conventional computers.

It is often theorized that when quantum computing becomes available, modern encryption algorithms will be rendered all but useless. There is truth in this when it comes to asymmetric-key ciphers, but symmetric-key ciphers are relatively quantum-resistant, although quantum computers still reduce the security of AES by half. This means AES-256 remains secure, but AES-128 is less so.

Brute force attacks, however, are not the only way to compromise an encryption algorithm.

Key attacks

Over the years, a number of theoretical attacks on AES keys have been published by cryptographers, but all of these are either unworkable in practice, or are only effective on AES implementations that use a reduced number of rounds (see below).

The most successful attempt was a biclique attack published in 2011 that can reduce the time needed to brute force AES by a factor of four. However, it would still require billions of years to brute force AES on any current or foreseeable computer hardware.

No known key attack is practical against properly implemented AES-128 or higher.

Side channel attacks

A side-channel attack attempts to reduce the number of combinations required to make a successful brute force attack by looking for clues from the computer performing the encryption calculations. Clues can be gleaned by examining:

Timing – how long a computer takes to perform an operation

Electromagnetic leaks

Audio cues

Visual cues (picked up using a high-resolution camera).

Cache-timing attacks, in particular, have proven to be quite effective at successfully cracking AES. In the most notable example, researchers in 2016 were able to recover an AES-128 key using “only about 6 – 7 blocks of plaintext or ciphertext (theoretically even a single block would suffice)”.

However, there are a number of things that can be done to mitigate against the threat of side-channel attacks:

Properly implemented AES can prevent ways that data can be leaked. Hardware that integrates the AES instruction set further reduces the side-channel attack surface of AES. Randomization techniques can be used to disrupt the relationship between data protected by AES and any leaked data that could be collected using a side-channel attack.

It is also worth noting that, in many cases, side-channel attacks require the attacker to have close proximity or physical access to the device as it decrypts data (although remote attacks are possible if malicious software is installed on a device, particularly in the case of timing attacks).

The human factor

Security is only as strong as its weakest point. There is little point in encrypting your data with AES-256 if you then secure it using the password “12345”. Social engineering attacks and keylogger viruses are also a threat to AES-encrypted data.

Use of a good password manager, anti-virus software, and improved education about cybersecurity are the best forms of defence against these kinds of attacks. Note that this kind of attack is only a risk if you encrypt your own data with a password.

May 15, 2023 by Cryptography 0

What’s the Difference Between 2FA and MFA?

Two-factor authentication (2FA) is multi-factor authentication (MFA). Both authentication solutions provide additional account security by requiring additional factors of authentication. To understand how exactly 2FA and MFA differ, it’s firstly important to understand the concepts of authentication and factors of authentication.

What is Authentication?

Authentication is a fundamental concept of identity access management (IAM) that enables a system to verify the identity of a user. Factors of authentication are security mechanisms that prove a user is who they claim to be before granting access. There are three types of authentication factors, including:

  • Knowledge factor (something you know): e.g., a one-time password (OTP), a personal identification number (PIN)/passcode, an answer to a security question

  • Possession factor (Something you have): e.g., a mobile device or another physical device, a fob, a hardware token (e.g., Yubikey), a security token/ security key

  • Inference factor (Something you are): e.g., biometrics, such as fingerprints, facial recognition, retina scan, voice recognition

Two-Factor Authentication vs. Multi-Factor Authentication

The definitions of two-factor and multi-factor authentication, and the differences between these security mechanisms, are listed below.

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) that verifies end users’ identities based on two factors before granting access to online accounts. 

Below is an example of 2FA in action:

A user attempts to log in to an online service with their username and password.

The system confirms the login credentials are correct, prompting the second authentication factor.

The user receives a push notification (possession factor) to confirm they are attempting to log in. 

The user is redirected to the service’s login page and prompted to use facial recognition (biometric factor).

The system verifies the facial recognition attempt and grants access to the user.

2FA vs. MFA

Below is a summary of the difference between 2FA and MFA:

2FA is a subset of MFA

All instances of 2FA are instances of MFA. 

Not all instances of MFA are 2FA. 

MFA requires more pieces of evidence than 2FA to grant users access

Why are 2FA and MFA Important?

Most financial, healthcare, educational, and government institutions now facilitate online accounts. These service providers store personally identifiable information (PII), protected healthcare information (PHI), and other confidential information. Account protection once relied on single-factor authentication (SFA) methods – usually the use of passwords. These are no longer enough on their own. 

Cybercriminals in today’s threat landscape are highly specialized in gaining unauthorized access to sensitive data, especially via SFA logins. There are many techniques hackers can use to steal passwords and exploit users’ personal information for malicious purposes.

Standard password-stealing methods include:

Brute-force attacks: In this type of cyber attack, a hacker strategically guesses a user’s password until they crack the correct combination. This method has an exceptionally high success rate when users have weak passwords, e.g., birthdates.

Data leaks: A user/service accidentally expose sensitive data on the Internet, which a hacker finds and exploits to gain unauthorized access, e.g., a birthdate on LinkedIn. Leaked credentials from historical data breaches provide hackers an even easier attack vector. Despite its major security issues, many people still reuse the same passwords across different accounts. Attackers can use these compromised passwords across multiple accounts for the same user until they find a successful login combination. 

Keyloggers: Hackers install this type of malware on unsuspecting users’ systems. Keyloggers record keystrokes and read clipboard data on hacked devices, allowing hackers to steal passwords and other information which could allow unauthorized access.

2FA and MFA prevent cybercriminals from taking advantage of compromised passwords by relying on additional authentication methods. Unlike SFA, if a hacker steals a user’s password, they still can’t gain access to the user’s account. They’ll still have to provide at least one additional authentication – inherence or biometric –  something they are less likely capable of doing.

Is MFA More Secure Than 2FA?

Both 2FA and MFA are much more secure forms of authentication than single-factor authentication (SFA), relying on more than just a password. MFA is usually considered safer than 2FA as it provides the most layers of security against cyber criminals. However, the strength of an MFA solution depends on how secure its additional authentication methods are. 

For example, the possession factor of email and SMS verification codes is not as secure as other types of authentication. The abundance of phishing scams across both platforms and the ability to hack SIM cards create additional cybersecurity risks. MFA is most effective when it relies upon biometric authentication factors, which are unique to the user and difficult to replicate.

    January 26, 2023 by Cyber Security 0

    Insecure Cryptographic Storage

    Photo by Lia Trevarthen on Unsplash

    Encrypting stored data is a standard best practice for preventing unauthorized access to or use of sensitive information. Encryption takes information stored in a readable format, such as PlainText, then uses mathematical algorithms to scramble it, making it unreadable. Encryption typically requires an encryption key, which is the technology that applies the algorithm that scrambles the data and is also used to make the information readable again. However, the protection no longer works if someone finds the encryption key.

    The insecure cryptographic storage vulnerability means you have a problem with one or more of the following:

    • Not encrypting all sensitive data
    • Improper key storage and management
    • Easy to crack encryption algorithms
    • Internally-designed, untested algorithm
    January 12, 2023 by Cryptography 0

    What is an SSL Certificate?

    Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

    An SSL certificate (or TLS certificate) is a digital certificate that binds a cryptographic key to your organization’s details. Secure Sockets Layer (SSL) are cryptographic protocols designed to encrypt communication between a server and a web browser.

    While SSL certificates are installed server-side, there are visual cues in the browser that show SSL protection. If SSL is present, you may see https:// in the address bar, a padlock, a green address bar, or a combination of the three. SSL secures your connection to a web server and encrypts any transferred data. Encrypting data reduces the cybersecurity risk of man-in-the-middle attacks or many other cyber attacks. SSL has traditionally been used to secure credit card information on e-commerce sites, personal data transfers, and social media sites.

    Today, search engines like Google have called for HTTPS everywhere, even if websites don’t handle sensitive data or information like personally identifiable information (PII). HTTPS not only provides critical information security and data integrity but is a requirement for many new web browser features like progressive web apps (PWAs). What is Transport Layer Security (TLS)?

    Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Think of it as a more secure version of SSL. Despite new certificates using TLS (RSA or ECC), it remains common for security certificates to be referred to as SSL certificates.

    TLS, like SSL, provides privacy and data integrity between two or more communicating applications. When secured by TLS, connections between your browser and a server must have one or more of the following properties:

    The connection is secured by symmetric cryptography. The keys for symmetric encryption are unique to each connection, based on a shared search negotiated at the start of a session through a TLS handshake. The server and your browser negotiate the details of which encryption algorithm and cryptographic keys are used before data is transmitted. Negotiating a shared secret is secure (preventing eavesdropping) and reliable (no attacker can modify messages without being detected, preventing man-in-the-middle attacks).

    The identity of communicating parties can be authenticated using public-key cryptography. Public keys are disseminated widely, and private keys are only known to the owner. People can encrypt a message using the receiver’s public key, but only their private key can decrypt. Authentication can be optional but is generally required for at least one of the parties (typically the server).

    The connection is reliable because each transmitted message has integrity checked using a message authentication code (MAC), preventing undetected loss or manipulation of data. A MAC is a short piece of information used to confirm the message came from the stated sender and has not been changed. This protects data integrity and authenticity.

    In addition, the configuration of TLS can provide additional privacy-related benefits like forwarding secrecy. Forward secrecy ensures future disclosure of session keys only compromises a particular session. This is achieved by generating a unique key for each session, so the compromise of a single session key cannot affect the data exchanged in any other session.

    What is Hypertext Transfer Protocol Secure (HTTPS)?

    Hypertext Transfer Protocol Secure (HTTPS) is an extension of Hypertext Transfer Protocol (HTTP). It is used to securely transfer data over a network. In HTTPS, the communication is encrypted using TLS.

    HTTPS provides authentication of the accessed website, protecting the privacy and integrity of exchanged data. It also protects against man-in-the-middle attacks such as eavesdropping and tampering with transmitted data. Because HTTPS piggybacks HTTP on top of TLS, the entire HTTP protocol is encrypted, including the requested URL (the specific page requested), query parameters, headers, and cookies (which often contain identifying information about the user).

    The one thing that eavesdroppers can see is the website address and port numbers which are part of TCP/IP protocols and not protected by HTTPS. This means an eavesdropper can infer the IP address and port number of a web server (the domain name but not the specific page) that you are communicating with, as well as the amount of data transferred and session time.

    Modern web browsers know which HTTPS websites to trust based on pre-installed certificate authorities. Certificates authorities like Let’s Encrypt are trusted to provide valid certificates. This means HTTPS connections are only trusted if all the following are true:

    You trust your web browser correctly implements HTTPS with valid certificate authorities. You trust the certificate authority will only vouch for legitimate websites. The website you visit provides a valid certificate signed by a trusted certificate authority. The SSL certificate correctly identifies the website and not another entity. You trust SSL/TLS is sufficient to protect against eavesdroppers.

    December 29, 2022 by Application Security 0

    What Is AES encryption?

    Photo by Alex Motoc on Unsplash

    AES is a fast, efficient, and secure encryption standard. Certified by the National Institute of Standards and Technology (NIST), AES is used by the United States government to secure classified data.

    What does AES stand for?

    AES stands for Advanced Encryption Standard and is a symmetric-key cipher. There are two fundamental kinds of cipher algorithms:

    Asymmetric-key ciphers

    These use public-key cryptography to allow the secure exchange of keys over a distance (such as over the internet). Data is encrypted using a public key, which is made widely available, but which can only be decrypted using the correct private key (which only the intended recipient should possess). Asymmetric-key ciphers require a high level of computational power. This makes them relatively slow, and thus most useful for encrypting small amounts of data. RSA, for example, is an asymmetric cipher used to encrypt just the keys during the TLS exchange that occurs when connecting to an HTTPS website.

    Symmetric-key ciphers

    The same key is used to both encrypt and decrypt the data. There may sometimes be a simple transformation between the two keys, but they are always derived from the same key. Symmetric-key ciphers require much less processing power than asymmetric-key ciphers and are therefore often cited as being around 1,000 times faster. This makes symmetric-key ciphers ideal for encrypting large volumes of data. Where large amounts of data need to be transmitted over a distance (such as over the internet), the data itself is encrypted using a symmetric-key cipher, such as AES, while the key exchange is secured using an asymmetric-key cipher, such as RSA.

    June 15, 2022 by Cryptography 0

    Recent Comments

    No comments to show.