Cryptography


Security Risk: The Device Formerly Known as Your Hard Drive

Guest editorial by Paul Roberts  In a weird kind of synchronicity, two stories recently have raised the specter of discarded (not merely misplaced) hard drives as the source of considerable consternation and legal wrangling. In the most serious incident, the Inspector General of the National Archives and Records Administration (NARA) launched an investigation into a potential data breach that could expose the personal information and health records of up to 70 million veterans.

How to Defeat Full-Disk Encryption in One Minute

Full-disk encryption is often heralded as a panacea to the huge problems of data breaches and laptop thefts, and with good reason. Making the data on a laptop or other device unreadable makes the machine far less attractive or valuable to a thief. However, researchers are showing that this solution has its share of weaknesses, too.


PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

“Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law,” company representatives wrote in an email sent to the hacker, Moxie Marlinspike. “Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.”  Read the full story [Dan Goodin/The Register]

Visa has announced new global best practices for data field encryption, also known as end-to-end encryption – a much-discussed solution in the wake of the Heartland Payment Systems breach.
Announced by the global credit card company on Monday, these best practices are designed to further the payment industry’s efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the “clear.”  Read the full story [govinfosecurity.com]

Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. Read the full story [zdnet.com]. Also see this MIT Technology Review report on how cybercriminals managed to steal $447K despite the fact that two-factor authentication was in place.

Locked in a cat-and-mouse game with spammers who use bots to defeat anti-fraud mechanisms and create fake accounts, Google today announced a deal to acquire reCAPTCHA, a company that provides those squiggly words at login screens.
The ReCAPTCHA deal isn’t exactly a security transaction.  Strategically, it gives Google an excellent crowd-sourcing tool to beef up its already impressive machine-vision algorithms (think book-scanning and maps) but, in the long run, the ability to use CAPTCHAs that are near-impossible for bots to decipher allows Google to raise the bar significantly in the fight against bots and spam.

A pair of Japanese researchers have developed an improvement on an existing technique for attacking wireless LAN traffic that enables them to intercept and decrypt encrypted packets in about a minute, significantly lowering the barrier to entry for attackers looking to listen in on supposedly private connections.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.