This is Mark Bower's Typepad Profile.
Join Typepad and start following Mark Bower's activity
Join Now!
Already a member? Sign In
Mark Bower
Recent Activity
NIST, the US Government standards body, recently went on the public record with an update about the Format Preserving Encryption standards track process. Great news! Lots of progress made and the final steps are in play. Take a look here - http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html The update is in the last section. “NIST is developing a special publication to specify three modes for format preserving encryption based on the FFX framework: FFX-base, VAES3, and the analogous component of BPS. (See the FFX and BPS proposals on the modes development page.) A draft SP 800-38G is currently undergoing internal NIST review; a revised draft... Continue reading
Posted Feb 18, 2013 at Superconductor
Data breach regulations don’t go away do they? Like an annoyed bulldog they just get more aggressive. With the pain felt by governments world-wide from the one-two punch of critical infrastructure data breaches and the big costs to society and negative impact on consumer confidence, the response of increasing compliance requirements should surprise no-one. In the EU, ever stronger rules have been on the cards for a long time with plenty of open debate and analysis. Meanwhile, some jurisdictions like the UK embraced tighter breach notifications through the ICO and FSA. In the EU Telecoms sector, breach regulations took hold... Continue reading
Posted Feb 11, 2013 at Superconductor
The recent reported vulnerabilities in Java are of course a top concern for enterprises large and small. However, as reported by some of the media, there's a lot of confusion about what do do. The advice is to turn off Java in browsers until there's a fix. It's harder to do than you might think, due to having to open less-than-intuitive application control panels to adjust the Java install package settings. However, it is possible and there are good guides out there to show you how. Mind you, a lot of web-facing Internet applications (not web sites) use Java due... Continue reading
Posted Jan 22, 2013 at Superconductor
It’s amazing that just a few days into 2013 we see another potentially massive data breach on day 15! This time it’s in Canada, with healthcare related data at BC Health. Maybe 5 million records involved. This could be huge. You can read about it here. There are many unanswered questions springing up as this story emerges. However, I have to ask the obvious: Why is a major government department entrusted with oversight over millions of sensitive records unable to protect them from compromise and misuse when the tools to easily and quickly protect data are readily available? I suspect... Continue reading
Posted Jan 15, 2013 at Superconductor
Just before 2012 winds up and we merrily bring in the New Year, we have yet another breach of a database yielding thousands of identities, SSN’s, salaries, and address information. I bet 2013 isn’t going to be any different for most organizations still using outdated perimeter IT defense strategies to protect data - they’re proving transparent to advanced threats time and time again. This breach is a little different however due to the nature of the identities involved and has potential for high stakes social engineering attacks given the specifics of the data if reports are correct. You can read... Continue reading
Posted Dec 28, 2012 at Superconductor
I'm often asked about NIST standards and FFX AES - Format Preserving Encryption. These days, given the process of FPE standardization is well underway, we recommend people contact the good folks at NIST via the AES Modes contact page for further information. However, astute readers may already know that NIST is on the record about the FFX standardization process here at the bottom of the following page. http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html "NIST is currently developing an addition to the 800-38 series of Special Publications, which will specify schemes for format preserving encryption based on the FFX framework" It doesn't get clearer than that.... Continue reading
Posted Dec 14, 2012 at Superconductor
There's new malware on the loose targeting merchant point of sale systems (POS), often called the checkout or tills. Apparently the impact of this new "Dexter" virus is being felt world-wide. POS systems are often the weak link in the chain. They should be isolated from other networks, but often are connected. And as a checkout in constant use, they are less frequently patched and updated and thus vulnerable to all manner of malware compromise. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Continue reading
Posted Dec 12, 2012 at Superconductor
Many readers will be well aware of the NIST approval process around FFX Mode AES - Format Preserving Encryption. Due to the cryptanalysis, proofs and research behind it, it’s considered strong cryptography and will soon be part of a NIST AES mode standard - we suggest to people to check in with NIST if there are any doubts. Any vendors interested in learning more about using AES FFX in products or services should contact us here With the recent spate of breaches in the news this week - TD Bank's unfortunate backup tape loss and disclosure to US MA and... Continue reading
Posted Oct 16, 2012 at Superconductor
This recent article on data breaches in CFO Magazine is aimed at - not surprisingly - the CFO's of SMB's. That’s a good thing – CFO’s need to know that emerging corporate risks can be managed effectively. The article makes the claim that "Cybercrime isn’t a problem just for large companies. Here’s how smaller businesses can protect their computers and networks from data breaches." But is the challenge about protecting computers and networks or is it about protecting data? More on how SMB's can take a clever and easier approach to reducing cybercrime risk later in this post, but cybercrime... Continue reading
Posted Oct 9, 2012 at Superconductor
I came across this post talking about data residency challenges and cloud applications, and the importance of keeping cloud data safe. We recently ran a popular webinar on this topic and how to elegantly handle the challenge. There's lots of comment on these issues these days, but it seems that the industry still thinks that data at rest encryption solves data privacy problems in the cloud. The bottom line is that it solves only a fraction of the risk and compliance problem, leaving gaping holes in security that attackers will love, malware will exploit, and auditors will drive trucks through... Continue reading
Posted Oct 8, 2012 at Superconductor
A recent article in American Banker, Bank Data Breaches Are Stuff of Nightmares: Citi Exec, Julie Pukas, the global head of integrated payments at Citi made this interesting comment: "All of us have probably [experienced] one way or the other some type of data breach, and … it's probably what I wake up in the middle of the night thinking about, because it's really to some degree out of your control". While no doubt data breaches are a difficult challenge, getting control over the protection of your data is actually a lot less difficult these days even in complex payment... Continue reading
Posted Sep 27, 2012 at Superconductor
In the past few days there has been substantial media coverage over a rather serious flaw discovered by Esteban Martinez Fayo at Appsec in a current major database platform. All enterprises using Oracle 11G (release 1 and 2) databases need to be concerned - especially given the fact that this opens up another convenient attack point for malware in the datacenter or motivated insiders to steal the enterprise crown jewels - sensitive data. The method of attack has been covered quite extensively to date - along with industry concerns. http://www.securityweek.com/oracle-authentication-vulnerability-enables-trivial-password-cracking More details on this attack are due to be revealed... Continue reading
Posted Sep 25, 2012 at Superconductor
Today, Visa announced that they had joined the market trend that Voltage has pioneered in enabling end-to-end -- or point-to-point -- encryption for merchants and payment processors to secure payment data against breach risks. Nearly all of the top payment processors and several leading payment gateways in the US have already adopted a proven, independently analyzed solution based on a mode of AES called FFX. This approach has enabled merchants and processors to reduce risk and PCI scope by protecting sensitive data in storage, transmission, and processing. Visa's proposed solution raises some important unanswered questions. In particular, today’s announcement makes... Continue reading
Posted Aug 21, 2012 at Superconductor
On May 22, a physician's unencrypted personal laptop was stolen from Beth Israel Deaconess Medical Center (BIDMC). It contained information on ~4,000 patients. The organization is busy cleaning up the mess today. And, this breach has caused a "priority project" to be undertaken, which focuses on encrypting mobile devices (laptops, iPads and other tablets, etc.) at a cost of around $300,000. Encrypting the devices ("full disk encryption") seems to be the popular recommendation industry-wide. But is it the right approach? (See, for example, this post by John Halamka, MD, MS, Chief Information Officer of Beth Israel Deaconess Medical Center, Chief... Continue reading
Posted Jul 24, 2012 at Superconductor
In addition to Luther’s post on the topic, here’s how the recent Fujitsu results relate to our products and commentary from a world-wide recognized expert on pairing based cryptography - Prof. Dan Boneh. The bottom line is there is no impact to the security or strength of encryption to any of our product lines including Voltage SecureMail – the world’s easiest to use secure email encryption solution for enterprises, Voltage SecureData Payments – our market leading P2P Encryption solution used by top merchants and acquirers world-wide for PCI scope reduction, or Voltage SecureMail Cloud - our on-demand email and file... Continue reading
Posted Jun 21, 2012 at Superconductor
Mark Bower is now following The Typepad Team
Jun 21, 2012