digg user kinthiri explains:
Quantum cryptography is unbreakable because if any 3rd party views it that does not have the credentials and is not the intended recipient, the simple viewing of the encrypted data by that third party changes that data such that even the intended recipient can’t decrypt it. Thus they know that there is a 3rd party viewing the stream. Effectively the data self destructs if anyone attempts to intercept it or decrypt it. This is not a new phenomenon.

What is new is that its being used commercially. It had previously been used experimentally by the military in association with researchers, but this is the first time its been brought to life outside test environments and is available commercially.

The nature of quantum mechanics makes this truly unbreakable. You couldn’t even factor this using your own quantum computer, if you could even get one with enough qbits.

read more | digg story

The Internet has become an in disposable tool for research, commerce, art, education and virtually every part of modern life. It was the inquisitive, intelligent, intuitive and creative nature of humanity that created the Internet and its those same qualities that put individual systems linked directly to the Internet in peril. The three pillars of information security are at stake for all systems with connectivity to the Internet. The challenge is in the implementation of the necessary security controls to achieve those three pillars.

Confidentiality:

Confidentiality pertains to protecting sensitive information. Sensitive information can be anything from private user information to classified defense data. Many organization live and die by the protection of proprietary information from competitors. During wartime, the armed services literally LIVE or DIE based on how well certain sensitive information is guarded. In the US Department of Defense is called Operational Security. Since the Internet is a critical part of the DoD (and defense organizations around the world) the confidentiality is a HUGE challenge for their Information systems exposed to the Internet. Some of the threats to there systems include: social engineering, leaks of information and accidental release of sensitive data. All of these threats can be enabled via the Internet.

Organizations must educate their user who have access to sensitive information. I’ve heard some security professionals say that educating users is bad.

But if your users have access to sensitive information (and need to have that access to do their jobs) it is imperative that they not only know WHAT is sensitive, but WHO it can be give to, WHEN it can be shared, HOW it can be share and WHY it can be shared.

Integrity:

Data integrity is very important to all systems passing data on the Internet. Integrity has to do with whether or not the message on the other end of your connection is the same one you actually sent. Whether its your passwords being passed to your bank or the DoD passing data over the Internet, the integrity of the data is imperative. Its often taken for granted until, we are sending an email and the receiver says they got the email but the message can’t be read. Sometimes if the messages integrity is garbled or malformed it simply won’t reach its destination. If the integrity of a message can not be protected in some way or verified and checked, it is possible for someone to intercept your message, alter it, and send it on its way. Integrity is especially critical in banking and financial transactions which is why encryption and authentication take on such an important role for sensitive transactions such as ATM withdrawals, and online banking.

The challenge to maintaining Internet integrity is to ensure that link is encrypted when necessary.

Availability:

If there is no availability there is no mission, no business, no functionality. One of the major challenges of Internet security has been Denial of Services attacks. A Denial of Service attack is when your system on the Internet (or within a network) is flooded with useless traffic such that no one else (not even you) can use it. With a misconfiguration, a denial of service can happen by accident. Its important to test the availability of an online system. Its also a good practice to see what kind of availability and access you are giving. After all, too much availability can compromise the security of your system.

Most challenges of Internet security can tie into one or more of the big three: confidentiality, confidentiality or availability. With those in mind most challenges can be overcome. But the double edged sword of security.. the very nature of it on the Internet is to constantly change and evolve with the Internet. The constant change of threats to those three aspects of security is perhaps the biggest over arching challenge.

Its so good I don’t want to give anything AT ALL away, but I will mention one of cool technologies he makes up in the novel.  He talks about something called EGG.  Its basically an encryption software that not only protects against those trying to gain unauthorized entry, it tracks them and then goes after them.  It actually hacks the hackers. 

This is something that a friend talked to me about creating as a part of his PHD.  “Would that break some kind of law?”  I asked.  He was insistent that people should be able to protect themselves and I don’t totally disagree with that I’m just saying that I don’t think the law protects vigilantes.

Actually, a lawyer at Defcon 14 talked about that very issue when questioned.  And if I’m pretty certain he said it was illegal to hack someone even if they have hacked you. 

But in J. C. Hutchins’ world the PATRIOT ACT III allows the hack back feature of EGG to exist.

So anyway, all security geek stuff aside, its a really good story.  Highly recommended. 

Tags: jc, hutchins, egg, encryption, patiotact, patriot, act, securityfiction, killroy, killroy20, 7thson, clones

Back in March, it was reported that WAPI was rejected by ISO because China refused to disclose some details of the technology. This meant that ISO members weren't able to guarantee that WAPI did not allow backdoor access to encrypted material. — C|net News.com

The American 802.11i encryption is backed by Intel. China's wireless standard is now claiming that it is a conspiracy from the U.S. engineer's group. 

I think the Chinese have a ways to go on engineering at the level of quality that the Western world has set.  Just look at the safety rating that the JiangLing Landwind, China's first car to be sold in Europe.  It received a ZERO in safety, breaking the record for the lowest score ever by European saftey standards. 

I think the Chinese will eventually fine tune the process and beable to compete and even beat the European, American, and  Japanese companies but its just began to get into the real thick of capitolism, so like the JiangLing's safty feature (or lack there of) some of their standards and practices are stuck in the 20th century.  When this giant wakes up completely, they'll be no stopping them.  The spark and freedom of innovation at Western standards is all they need and then it will be all over.  They'll be to business and commerce what a team of Micheal Jordan clones would be to the NBA.  I suspect the same thing of India.  Its not so much brain power and work ethic (or which they have loads) as it is numbers of people.

read more | digg story

Some might say it is impossible to secure Internet2.  In some ways
I would say that they were correct.  Or let me put it this way, it
could be secured but I couldn't really be called the Internet any
more.  I guess if they did something like in which all systems
were connect with Peer to Peer VPN connections like Tor connections in
which all data is encrypted and digitally signed.  I suspect that
eventually even the encryption would get cracked  since all crypto
eventually meets its processor match.

It could be called the CryptoNet!  Anyone logging on would have to
sign on with a digital signature stored on some sort of Certifing
Authority (CA).  Of course, this would make it possible to do
MITM, man in the middle, attacks unless it was an enclave network in
which ALL nodes with IPs had to have a digital signature.

Such an implementation would greatly reduce the speed of connection but
would give incredible nonrepudiation, confidentiality, and
integrity.  The availability would suffer big time.

Frankly, a “CryptoNet” would only be good for all the important
transactions such as banks, hospitals and time sheets.  I would
not want something like that for 95% of what I do on the Internet.

Does anybody have any information on how I can get the hook up on “testing” the Internet2?

read more | digg story

Once again Google uses incredible engineering to create something that may just become number one yet another area of IT.  Google Adsense is doing so well that Yahoo and MSN are testing out similar content relevant ad scripts. 

Tor looks like it is much more secure that the Google implementation.  I mean VPN is pretty secure but Tor is ridiculously secure in that it uses software that uses each system it connects to as a seperate VPN which encrypts traffic at each point.  This makes the traffic very difficult (if not impossible to track) as EFF stores none of that data.  Google will hold the traffic data but claims that the data will be “personally unidentifiable” which means it can not be tracked back to any one person (at least that is how I understand it).

But I wonder what this VPN wireless project could mean in terms of practical use.  Will Google deploy in at Starbucks and Borders Book stores around the world?

read more | digg story

Common
knowledge has been that the less sophisticated small business operates
on a pricing sensitivity and is more apt to take advantage of
promotions, whereas the more sophisticated make security decisions
based on perceived business necessities. Overall, small businesses tend
towards waiting to implement internet security measures until after
suffering an email breach or informational leak. By this time privacy
and accompanying monetary loss may have already done irreparable harm
to a company's intellectual property and reputation. Large enterprise
solutions make it necessary to adopt complex IT infrastructures and
processes that are usually dependent on an IT staff – a solution that
does not fit well into the budgets of most small businesses.

According
to published reports in PCWorld.com, there are nearly 70 million small
businesses worldwide and over 20 million in the U.S. alone. Small
business is a major part of the global economy – that means it's time
to replace a general passivity towards the possible threats from email
and document theft with a look towards initiating security measures as
a business standard. The increasing level of security risk due to email
and intellectual property theft make it imperative for small businesses
to raise their level of security knowledge and investment.

Recent
studies show that although information security is a high concern for
small business owners, lack of actual knowledge and awareness of the
economic impact of security incidents is equally high. Imparting an
awareness to the small business community of the real threats in
regards to security vulnerability should be top priority. Through
education in this arena, small businesses can better enable them to not
only determine their own level of risk but also choose the necessary
email and document security solutions.

The responsibility of
raising awareness of security provisions needs to come not only from
governing agency reports, but also from security solution vendors.
Providers of business tool solutions are better equipped than any other
entity to position themselves as leaders in educating businesses on not
only the dangers but the appropriate basic security measures to
complement a small company infrastructure. Especially here, being
informed on which internet security products best suit a company need
is important as the needs of small businesses are vastly different than
that of enterprise businesses.

Look to numerous market survey and
analysis reports that specialize in studies on information security and
small business. A little research will show they repeatedly state the
same warning to small businesses – they need to change their attitude
towards security and begin adopting a security plan.

Taking the
time to gather information on creating good internet security practices
will lead to a decrease in the future cost of lost productivity, and by
educating your workforce you create an even wider prevention of
productivity loss.

Nan Schwarz, Director of Corporate Marketing
http://www.essentialsecurity.com

Schwarz
is the director of corporate marketing for Essential Security Software
and is responsible for worldwide creative marketing strategy and
execution, corporate branding, and public relations.

Essential
Security Software (ESS) is a provider of document and email security
solutions. ESS has developed a premier, easy-to-use, peer-to-peer
content protection and user rights management solution that enables
small business owners and individuals to securely distribute sensitive
email messages and documents while protecting the privacy, integrity
and authenticity of their intellectual property. ESS believes that
people have the right to affordable security software technology that
is powerful, flexible, and easy-to-use.

With technologies like wireless snowballing into a cultural phenomenon we suddenly can not live without, Federal Information Processing Standards are even more important.

If you are lucky enough to not have to know what FIPS I'll share some of the pain in plain english.  FIPS are all the federal documents addressing how  sensitive data will be processed.  Without these standards any government agency could use any kind of crypto they wanted with no regard of whether or not it is a SHA-1 that has just been cracked by the Chinese. 

See more FIPS

read more | digg story

Working from home while using a wireless local area network (WLAN) may lead to theft of sensitive information and criminal or virus infiltration unless proper measures are taken.  As WLANs send information over radio waves, someone with a receiver in your area could be picking up the transmission, thus gaining access to your computer. 

Criminal hackers and spammers could load viruses on to your laptop which could be transferred to the company's network when you go back to work.

Up to 40% of WLAN (see Wireless Attacks links below) users do not have standard security features installed, while 20 per cent are left completely open as default configurations are not secured, but made for the users to have their network up and running ASAP.

It is recommended that wireless router/access point setup be always done though a wired client.

Change default administrative password on wireless router/access point to a secured password.

Enable at least 128-bit WEP encryption on both card and access point. Change your WEP keys periodically. If equipment does not support at least 128-bit WEP encryption, consider replacing it.

Although there are security issues with WEP, it represents minimum level of security, and it should be enabled.

But how secure is WEP:

WEP Cracked in 10 Easy Steps (Video)

WEP Cracked in 10 Minutes (Video)

How to Crack WEP parts 1 & 2 (Tutorial)

WEP is not very secure but it is better than nothing.  Without it neighbors can accidently access your network that is being broadcast for all with reception.

Change the default SSID on your router/access point to a hard to guess name. Setup your computer device to connect to this SSID by default.

Setup router/access point not to broadcast the SSID. The same SSID needs to be setup on the client side manually. This feature may not be available on all equipment.

Block anonymous Internet requests or pings.

On each computer having wireless network card, network connection properties should be configured to allow connection to Access Point Networks Only. Computer to Computer (peer to peer) Connection should not be allowed.

Enable MAC filtering. Deny association to wireless network for unspecified MAC addresses. Mac or Physical addresses are available through your computer device network connection setup and they are physically written on network cards. When adding new wireless cards / computer to the network, their MAC addresses should be registered with the router /access point.

Network router should have firewall features enabled and demilitarized zone (DMZ) feature disabled.

You can test your hardware and personal firewalls using Shields Up test available at http://www.grc.com.

All computers should have a properly configured personal firewall in addition to a hardware firewall.

Update router/access point firmware when new versions become available.

Locate router/access point away from strangers so they cannot reset the router/access point to default settings.

Locate router/access point in the middle of the building rather than near windows to limit signal coverage outside the building.

While none of the measure suggested above provides full protection as countermeasures exist, a collection of suggested measures will act as a deterrent against attacker when other insecure networks represent easier targets.

Another more recent method of securing your system is WI-FI Protected Access (WPA).  Newer routers will have a wizard to assist users in setting up the WPA security.  Although WPA is more secure than WEP, it can also be hacked:

Crack WPA (WPA)

WPA2, recently released, offers a new hope for a very secure and trusted Wireless solution.  Unfortunately it may not work with older routers.

Wireless Attacks

http://www.eweek.com/article2/0,1759,1605143,00.asp

http://www.onlisareinsradar.com/archives/000624.php

http://www.pcmag.com/article2/0,1895,2345,00.asp