Encryption

Overheard - Data leak prevention market is hot

DLP, once seen as a quick-fix solution for reducing data breaches, is rapidly being recast as a core strategy for discovering sensitive information in the enterprise and controlling access to it. As that evolution occurs, DLP is increasingly becoming the spark that restarts previously stagnant data encryption projects. Tim Wilson, Encryption: DLP’s Newest Ingredient

DLP stand for data leak or data loss protection. It’s a more popular product name with vendors than the old name they tried in 2007, extrusion protection.  (What an awful name!)   As DLP products have evolved and been integrated with other security tools like desktop and mobile device management, DLP vendors have tried out other names including the very silly name, anti-employee theft prevention (who would want to steal an employee?).

But seriously,  the goal of any DLP product is to plug leaks by monitoring and documenting data as it leaves an organization.

In the past, you’d only find a DLP product at a network gateway in a large corporation.  Services industries, healthcare and insurance quickly jumped on the DLP bandwagon, motivated by compliance regulations –  but increasingly vendors are targeting the mid-market.  Forrester predicts that 20% of all small and mid-sized businesses (SMBs) will be shopping for a DLP solution in the next 12 months and 25% have already adopted email encryption, network storage encryption and data leak prevention.

Overheard: Hardware level encryption and EPO

A hot area for encryption right now is full disk encryption, in which every piece of data on a hard drive is encrypted. With all the laptops that get lost and stolen, there’s really no reason not to encrypt the hard drive. Elinor Mills, To encrypt or not? That is the question

Dell announced that they will be the first computer maker to ship a laptop with Seagate’s 160GB self-encrypting FDE hard drives.

In plain English, full disk encryption (FDE) means that all the data on your hard drive will be automatically encrypted.  To access data on the hard drive, you need a password.  If no password is provided, the hard drive stays locked down.  Encryption at the hardware (firmware) level is supposed to be less expensive and more efficient.

So what happens if you forget your password?

Well, Seagate teamed up with McAfee to create an enterprise-level security management software they’re calling ePO (enterprise policy orchestrator). If you’ve got a company laptop, your self-encrypting laptop can be unlocked by your IT department. If you’re a consumer, you’re on your own.

Overheard: The bigger the prime number, the more secure the encryption

Mathematicians at UCLA have discovered a 13 million-digit prime number, a long-sought milestone that makes them eligible for a $100,000 prize given out by the Electronic Frontier Foundation. The group found the 46th known Mersenne prime last month on a network of 75 computers running Windows XP. The number was then verified by a different computer system. Nuno Morgadinho, New Prime Number Discovered

What’s the big deal about finding very large prime numbers? Encryption.

RSA encryption is based on prime numbers — two prime numbers multiplied together. The original two prime numbers are known as your ‘private key’.  When you multiply them together, the product (a number that’s only divisible by one, itself and those two prime numbers) is called the ‘public key’.

Overheard: WEP and weak IVs

The problem arises when you have duplicate IV values. If an attacker knows the content of one of the packets he has the IV for, he can use the collision to extract the contents of the other packet. In other words, an attacker can decrypt data without ever knowing the password. Assuming an attacker can collect enough known IV-data matches, they can comprise the entire network. Seth Fogie, WPA Part 2: Weak IV’s

Overheard: PGP is just an envelope

Perhaps you think your E-mail is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don’t you always send your paper mail on postcards? Phil Zimmerman, Why do you need PGP?

Phil Zimmerman is an interesting guy. You may remember that the U.S. Attorney’s Office for the Northern District of California tried to put him in jail for making his email encryption program, Pretty Good Privacy, public. It was a crazy story.

So what’s he up to now? VoIP security.

Overheard: Using government Trojans to catch terrorists

The German Pirate Party just published some internal documents that show how Bavarian crime fighters want to get around Skype’s VOIP encryption: The plan is to trick suspects into installing trojan-like malware on their PCs that then captures Skype phone calls and forwards them to a remote server. Janko Roettgers, Bavarian police wants to use trojan malware to eavesdrop on Skype phone calls

On a related note, the U.S. government wants total access to Google search records.